Configuring permissions for your no-code backend REST API
Permissions can be configured on all operations (Create, Read, Update and Delete) of your no-code backend REST API. This would determine things like what an anonymous visitor of your website can do as opposed to a user who is signed in.
The combinations of permissions you choose should be based on your application's design.
Following is a detailed description on permissions. You can also skip this section and continue with the rest of the tutorial.
| Operation | Access | Description | Example usage |
|---|---|---|---|
| Create | Public | Anyone can create data | In a blog CMS, public users can add comments against articles |
| Users | Only registered users of your application can create data | Most common In a 'To-do Lists' application, users can creat their own lists |
|
| Admin-only | Only 'Data Admin' users can create data | In a booking management system, only admins can add the locations that are bookable | |
| Read | Public | Anyone can read data | In a blog CMS, an article can be read by anyone |
| Users | Only registered users of your application can read data | In a booking management system, logged in users can see available time-slots | |
| User only | Data can only be read by the user who created that data (data remains private to the user) | Most common In a 'To-do Lists' application, lists are private to each user |
|
| Admin only | Only 'Data Admin' users can read data. | In a blog CMS, only an admin can see how many times an article has been edited | |
| Update | Public | Anyone can update data | In a simple fuel price tracking system, you allow anyone to be able to update that day's fuel price at a particular gas station through an app |
| Users | Only registered users of your application can update data | In a simple fuel price tracking system, you only allow registered users to update that day's fuel price at a particular gas station through an app | |
| User only | Data can only be updated by the users who created that data (data that's private to a user) | Most common In a 'To-do Lists' application, a list can only be updated by the user who created it |
|
| Admin only | Only 'Data Admin' users can read data. | In a booking management system, only an admin can update a bookable location | |
| Delete | Public | Anyone can delete data | In a simple web-based demo of an application, you allow anyone delete a record and start over |
| Users | Only registered users of your application can delete data | In a simple web-based demo of an application, you allow registered users to delete a record and start over | |
| User only | Data can only be deleted by the users who created that data (data that's private to a user) | Most common In a 'To-do Lists' application, a list can only be deleted by the user who created it |
|
| Admin only | Only 'Data Admin' users can read data. | In a booking management system, only an admin can delete a bookable locations |
Continuing on our sample app, swith to the Access tab of the Lists model.
We want only registered users to create lists, and no one other than the user who created it should be allowed to read, update or delete a list. In other words, we want data to be private to users.
To achieve this, we will set Create access to Users and set other access types to User only.
Do the same for the Tasks model.
Click the Update service button and wait for your service to be deployed.
Your no-code backend REST API is now secure. Next, we will connect it to a front-end app.
