restdb.io supports role based access control. Roles are particularly useful when you need to restrict access to what users can see and do in the data manager in your database. In Developer mode, click the Access column of the Collection you want to restrict. In the screenshot below, we have added 'read'-access (GET in HTTP speak) to the 'editor' and 'interns' role, and Create/Update/Delete-access to the 'editor' role only. Users without these roles will not be able to see anything.
It's important to understand that the roles that you assign in the data manager are abstract. The actual connection between a user and its roles are set in the Settings of your database. In your database settings, you simply need to assign the proper roles to each user.
Externally authenticated users (Authentication documentation) can also be restricted with roles and access rules. A user in the User collection must have an array with the required roles, e.g.:
{
"_id": "57cee0f9a72afb7d20001ff",
"email": "jane@corp.com",
"email_verified": true,
"name": "Jane Smith",
"given_name": "Jane",
"family_name": "Smith",
"picture": "https://lh4.googleusercontent.com/xxx/photo.jpg",
"gender": "female",
"locale": "en",
"roles": ["gamer", "leader"]
You can check the "Enable private data" option on the Access dialog for a particular Collection.
This is important if you want to prevent Users to see data from each other. Administrators can always see all data by clicking on the Show all icon in the data list view.
The private data option will filter data on API access for externally authenticated users (Authentication documentation).
To control realtime access for externally authenticated users the a JSON realtime property must be inserted on your User object.
{
"_id": "58e10565e8e4e51c00000007",
"email": "jones@gmail.com",
"realtime": {
"sub": [
…
],
"pub": [
…
]
}
"active": true
}
The realtime JSON property has two parts; sub (subscribe) and pub (publish).
This following example Codehook (on the users collection) shows how you could apply a standard realtime access for all new users. In this examle all new users are allowed to subscribe for PUT, POST, DELETE (on items collection) and chatx data events, and to publish chatx events.
function beforePOST(req, res) {
req.body.realtime = {
"sub": [
"PUT:items",
"POST:items",
"DELETE:items",
"MESSAGE:chatx"
],
"pub": [
"MESSAGE:chatx"
]
};
res.end({"data": req.body});
}