Control access to your content using ACLs
Apstrata gives you simple means to apply fine grain access control to all your content, which, in Apstrata, is saved as NoSQL key/value structures called documents. Structural and validation rules can be applied to documents using document schemas, that define types of documents.
In your schemas, you can resort to Access Control Lists (ACLs) to efficiently specify who is entitled to read from or write to a given field or fields in your documents.
Example: anyone can see the top scores but can't modify their values
In most of electronic games, a player can view the list of high scores achieved by the different players of the game (the "hall of fame"). On another hand, updating the score for a given game is only permitted to the player of that game. So in the case where you are developing such an app for mobile devices using Apstrata, how can you specify read/write permissions on the score?
This is actually very simple to do:
- First, create a schema (we recommend using the Apstrata workbench) for your game document type, if not already done, in order to define the required fields and their validation rules.
- Next, create a new <aclGroup> in the <aclGroups> section, that will specify permissions on the set of fields it contains:
You can directly try your schema ACLs from the Apstrata workbench. Do not forget to give it a name and save it.
Step 1. Create two users (players)
First, create two users for your application that we will use in our test: click on "Manage App > Users > Save User". Fill in the form fields to create a first user (let's set his login to "user1") then save. Repeat these steps to create a second user (let's set his login to "user2").
Step 2. Create a schema
If not already done, click on "Manage App > Schemas > New" to create a new schema. Copy/paste the above example and save it (in the example below, we chose "game" for the schema name).
Step 3. Create a game document as user1
Using the API Explorer, select SaveDocument. In the form that is displayed, set the name of the schema you have just created as a value of the "apsdb.schema" field, then fill in the form with appropriate values. Once done, scroll down to the "apsdb.runAs" field. This latter allows you, as the application owner, to impersonate your users. In this field, enter "user1" to create a new game document as this user. Click run: you should get a successful response with a document key (the identifier of the created document) that you should copy.
Step 4. Try to update this same document as user 2
Now, using the SaveDocument form of the API Explorer, fill in the "apsdb.documentKey" field with the value copied from the result of the preceding step. Then, set the value of the "apsdb.runAs" field to "user2" and click "run". As expected, you get an error message informing you that user2 does not have permissions to update this document.