Configuring permissions for your no-code backend REST API
Permissions can be configured on all operations (Create, Read, Update and Delete) of your no-code backend REST API. This would determine things like what an anonymous visitor of your website can do as opposed to a user who is signed in.
The combinations of permissions you choose should be based on your application's design.
Following is a detailed description on permissions. You can also skip this section and continue with the rest of the tutorial.
Operation | Access | Description | Example usage |
---|---|---|---|
Create | Public | Anyone can create data | In a blog CMS, public users can add comments against articles |
Users | Only registered users of your application can create data | Most common In a 'To-do Lists' application, users can creat their own lists |
|
Admin-only | Only 'Data Admin' users can create data | In a booking management system, only admins can add the locations that are bookable | |
Read | Public | Anyone can read data | In a blog CMS, an article can be read by anyone |
Users | Only registered users of your application can read data | In a booking management system, logged in users can see available time-slots | |
User only | Data can only be read by the user who created that data (data remains private to the user) | Most common In a 'To-do Lists' application, lists are private to each user |
|
Admin only | Only 'Data Admin' users can read data. | In a blog CMS, only an admin can see how many times an article has been edited | |
Update | Public | Anyone can update data | In a simple fuel price tracking system, you allow anyone to be able to update that day's fuel price at a particular gas station through an app |
Users | Only registered users of your application can update data | In a simple fuel price tracking system, you only allow registered users to update that day's fuel price at a particular gas station through an app | |
User only | Data can only be updated by the users who created that data (data that's private to a user) | Most common In a 'To-do Lists' application, a list can only be updated by the user who created it |
|
Admin only | Only 'Data Admin' users can read data. | In a booking management system, only an admin can update a bookable location | |
Delete | Public | Anyone can delete data | In a simple web-based demo of an application, you allow anyone delete a record and start over |
Users | Only registered users of your application can delete data | In a simple web-based demo of an application, you allow registered users to delete a record and start over | |
User only | Data can only be deleted by the users who created that data (data that's private to a user) | Most common In a 'To-do Lists' application, a list can only be deleted by the user who created it |
|
Admin only | Only 'Data Admin' users can read data. | In a booking management system, only an admin can delete a bookable locations |
Continuing on our sample app, swith to the Access tab of the Lists model.
![Lists model access](/assets/image/tutorial/list_model_access_tab.png)
We want only registered users to create lists, and no one other than the user who created it should be allowed to read, update or delete a list. In other words, we want data to be private to users.
To achieve this, we will set Create access to Users and set other access types to User only.
![Lists model access](/assets/image/tutorial/list_model_access.png)
Do the same for the Tasks model.
![Tasks model access](/assets/image/tutorial/tasks_model_access.png)
Click the Update service button and wait for your service to be deployed.
![Update Service button](/assets/image/tutorial/update_service_button.png)
Your no-code backend REST API is now secure. Next, we will connect it to a front-end app.