Hello 8base community,
Am I right in thinking that if a user has
CREATE permission for any tables that they could theoretically spam any number of create requests and also potentially CREATE or UPDATE (for example) an invalid email address?
I will of course only give authenticated users any create permission, but is it expected I should need another API layer to detect and prevent such data issues?
Is this what functions are for? If I make a function public am I able to auth the user, validate their parameters and only then execute a mutation?
If I remove the CREATE permission for a user role and route all creates through a function, am I then able to elevate permissions to be able to perform the create once I have validated the data?
UPDATE: For this last question it seems the answer is YES, it is possible to bypass permissions. This prompts a new question of would any inserted/updated data have the created_by etc of the user?
The gqlRequest method accepts an optional options object as it’s third argument. On that options object, the checkPermissions option is available. By default, checkPermissions=true and any query run from inside the function gets scoped to the requester’s permissions. When set to false, the query runs without checking permissions.
Custom Functions - 8base Documentation
Am I missing something?