Start a new topic

ACL verification on Custom Endpoints

Is there a way to perform collectionAccess methods filtered by ACL validation on Custom Endpoints?


If I perform a find(), I get a non-filtered list of results, like if it's been performed with Master Secret rights.

What I'd want to get is only a list of results that the user that sent the request to CE have rights to access to.

Is this possible?

I'm not sure this is the "RIGHT" answer, but it works.

If your app is querying the Custom Endpoint directly, your request to the Endpoint will look like this:


"method": "POST",

"headers": {

"host": "",

"x-real-ip": "??.??.??.??",

"x-forwarded-for": "??.??.??.??, ??.??.??.??",

"connection": "close",

"content-length": "35",

"accept": "application/json",

"accept-encoding": "gzip,deflate,sdch",

"accept-language": "en-US,en;q=0.8",

"authorization": "Kinvey 8dfxxxx9-c0ec-xxxx-ae91-xxxx4c9xxxxb.xxxxOxLTyxxxxavA0WxxxxHR+GQxxxxskfgxxxxVa4M=",

"cache-control": "no-cache",

"content-type": "application/json; charset=UTF-8",

"dnt": "1",

"origin": "http://localhost",

"pragma": "no-cache",

"referer": "http://localhost/yourapphere/",

"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",

"x-kinvey-api-version": "3",

"x-kinvey-device-information": "js-html5/1.1.1 (angularjs/1.2.0rc1) safari 7534.48.3 macintel unknown",

"x-forwarded-port": "443",

"x-forwarded-proto": "https"


"body": {

"some-key": "some-value"


"params": {

"_": "1vu3osxxxxp5jyvi"


"username": "SOME-USER-NAME-IS-HERE",

"collectionName": "NAME-OF-YOUR-COLLECTION",

"appKey": "YOUR-APP-KEY"


See the "username", that is the username of the logged in your. Using that username, you can query the "user" collection to get their account "_id". With that you can then create your filter with this filter parameter :

"_acl.creator" : the-account-_id-mentioned above

Unfortunately, this is a few more queries. But I don't know of a "proper" way other than this. Perhaps someone else has a better answer.
Thanks Justin!

Yea that's the way I ended up choosing yesterday too... in any accessControl method (find(), distinct(), ...) I add some parameters to the query in order to filter the results... similar to the one you're suggesting.

I suppose that if there's a built-in way of doing this might be faster. But if there isn't yet, I think this is the only solution :)

Login or Signup to post a comment