Child pages
  • Control access
Skip to end of metadata
Go to start of metadata

Control access to your content using ACLs

Apstrata gives you simple means to apply fine grain access control to all your content, which, in Apstrata, is saved as NoSQL key/value structures called documents. Structural and validation rules can be applied to documents using document schemas, that define types of documents.

In your schemas, you can resort to Access Control Lists (ACLs) to efficiently specify who is entitled to read from or write to a given field or fields in your documents. 

Back to the map       Next stations: upload/download files, set permissions

Example: anyone can see the top scores but can't modify their values

In most of electronic games, a player can view the list of high scores achieved by the different players of the game (the "hall of fame"). On another hand, updating the score for a given game is only permitted to the player of that game. So in the case where you are developing such an app for mobile devices using Apstrata, how can you specify read/write permissions on the score?

This is actually very simple to do:

  • First, create a schema (we recommend using the Apstrata workbench) for your game document type, if not already done, in order to define the required fields and their validation rules.
  • Next, create a new <aclGroup> in the <aclGroups> section, that will specify permissions on the set of fields it contains:
<schema>
	<aclGroups> <!-- An ACL group is an arbitrary set of fields on which you need to set permissions -->
		<aclGroup name='playerOnly'> <!-- we declare an ACL group specific to the "lives" field of a game document -->
			<read>creator</read> <!-- creator is a predefined role in Apstrata that resolves to the user who creates the document -->
			<write>creator</write>
			<fields> 
				<field>lives</field> <!-- nobody except the creator of the document is able to read/write the content of the "lives" field -->
			</fields>
		</aclGroup>
		<aclGroup name="anyone"> <!-- we declare an ACL group specific to the remaining fields of a game document -->
		    <read>anonymous</read> <!-- anonymous is a predefined role in Apstrata. It means that anyone has read access -->
		    <write>creator</write>
		    <fields> <!-- the below fields are freely accessible for reading by anyone, but can only be updated by the creator -->
		        <field>score</field>
				<field>level</field>
				<field>player</field>
		    </fields>
		</aclGroup>
		<schemaAcl> <!-- this section specifies who is entitled to read/update the current schema -->
			<read>nobody</read> <!-- nobody is a predefined role in Apstrata that automatically resolves to the owner of the application -->
			<write>nobody</write>
			<delete>nobody</delete>
		</schemaAcl>
	</aclGroups>
	<fields>
    	<field name="score" type="numeric">
    		<validation>
    				<cardinality min="1" max="1"/>
    				<range min="0"/> <!-- The score cannot be less than 0 -->
    		</validation>
    	</field>
    	<field name="level" type="numeric">
    		<validation>
    				<cardinality min="1" max="1"/>
    				<range min="0" max="30" /> <!-- The level is a value between 0 and 30 -->
    		</validation>
    	</field>
    	<field name="lives" type="numeric">
    		<validation>
    				<cardinality min="1" max="1"/>
    				<range min="0" max="10" /> <!-- A player can have 0 from 10 lives -->
    		</validation>
    	</field>
    	<field name="player" type="string">
    		<validation>
    				<cardinality min="1" max="1"/>
    				<regex>^([a-zA-Z0-9@*#]{3,10})$</regex> <!-- The player's name is an alphanumeric string of 3 to 10 characters -->
    		</validation>
    	</field>
	</fields>
</schema>

Try it!

You can directly try your schema ACLs from the Apstrata workbench. Do not forget to give it a name and save it.

Step 1. Create two users (players)

First, create two users for your application that we will use in our test: click on "Manage App > Users > Save User". Fill in the form fields to create a first user (let's set his login to "user1") then save. Repeat these steps to create a second user (let's set his login to "user2").

Step 2. Create a schema

If not already done, click on "Manage App > Schemas >  New" to create a new schema. Copy/paste the above example and save it (in the example below, we chose "game" for the schema name).

Step 3. Create a game document as user1

Using the API Explorer, select SaveDocument. In the form that is displayed, set the name of the schema you have just created as a value of the "apsdb.schema" field, then fill in the form with appropriate values. Once done, scroll down to the "apsdb.runAs" field. This latter allows you, as the application owner, to impersonate your users. In this field, enter "user1" to create a new game document as this user. Click run: you should get a successful response with a document key (the identifier of the created document) that you should copy.

      

Step 4. Try to update this same document as user 2

Now, using the SaveDocument form of the API Explorer, fill in the "apsdb.documentKey" field with the value copied from the result of the preceding step. Then, set the value of the "apsdb.runAs" field to "user2" and click "run". As expected, you get an error message informing you that user2 does not have permissions to update this document.

Dig deeper

Related tutorials