CREATE/UPDATE permission and potential spam/invalid data?

james · March 3, 2022, 2:13pm

Hello 8base community,

Am I right in thinking that if a user has CREATE permission for any tables that they could theoretically spam any number of create requests and also potentially CREATE or UPDATE (for example) an invalid email address?

I will of course only give authenticated users any create permission, but is it expected I should need another API layer to detect and prevent such data issues?

Is this what functions are for? If I make a function public am I able to auth the user, validate their parameters and only then execute a mutation?

If I remove the CREATE permission for a user role and route all creates through a function, am I then able to elevate permissions to be able to perform the create once I have validated the data?

UPDATE: For this last question it seems the answer is YES, it is possible to bypass permissions. This prompts a new question of would any inserted/updated data have the created_by etc of the user?

The gqlRequest method accepts an optional options object as it’s third argument. On that options object, the checkPermissions option is available. By default, checkPermissions=true and any query run from inside the function gets scoped to the requester’s permissions. When set to false, the query runs without checking permissions.
Custom Functions - 8base Documentation

Am I missing something?

Kind regards,
James

Fomich · March 7, 2022, 3:49pm

Hello @james !

Yes, if user have CRUD permission for particular table he will be able to manipulate with it anyway he’d like. What exactly do you mean by:

8base guarantees authentication and authorization within the native limits it provides, I mean it can be pretty advanced, checkout Advanced Authorization using Custom GraphQL Filters | 8base Academy

It does not connected, createdBy will be not null if user with such email is presented in Users table (signed up).

james · March 10, 2022, 11:07am

Hi @Fomich - thank you for your reply and explanations!

I was imagining at first that I could mutate my data directly using mutations from my client web application… am I right in thinking I should create webhooks for all my publicly available API endpoints?

Fomich · March 14, 2022, 4:09pm

Yes, you can mutate data using mutation straight from client-web using custom functions (checkout gqlRequest method Environment - 8base Documentation).

Not sure what do you mean. I guess it’s all depends on what you trying to achieve here. Basically, webhook allows you to call your custom function as regular RESTful endpoints.