Secure your database with Teta CMS policies

10/07/2022 - 3 min read

Hey! I'm Andrea from Teta ๐Ÿ‘‹
Today we will see how to set policies (security rules) within Teta CMS to secure your database.
Let me know what you think about ๐Ÿ˜„

What is Teta CMS

Teta CMS is a low-code back-end service. We provide:

  • Scalable NoSQL database
  • Real-time subscriptions
  • User authentication system and policies
  • Perform custom queries on your collections with our Ayaya language
  • Use an easy-to-use and responsive user interface

See our GitHub Repo

You can see the source code in this repo

What are policies

Policies are security rules.
Each policy is linked to a specific collection, and each policy is executed every time a collection is called in a query / API.

Essentially, they are additional conditions for each query that will be made to the collection.

How do they work

A policy is essentially a condition between a field and a value.
In Ayaya, it is:

				
					MATCH field EQ value;
				
			

They can also be used dynamically to detect if the current user has the right permissions.
To do that, you can use:

  • $uuid - the current user's id
  • $email - the current user's email
  • $name - the current user's name

In Ayaya:

				
					MATCH email EQ $email;
				
			

How to set them within Teta

To set them on your collection, navigate to:

  • app.teta.so > project dashboard > database > policies (on top right)

Add a new policy

In order to add a new policy on your collection, inside the policies panel, click on 'New policy'.
You have to choose the scope of your policy, which could be one of them:

  • read
  • update
  • delete

The scope defines on which action the policy will be trigger on.
It is possible to define one policy per scope.

Then you have to fill the 'key name' field, which will be the database field name, and the 'value' field.
We provide two shortcuts to insert the current user id and email.

Use case

Policies are useful to set permission on database action.
One famous example is for chat apps.

We want to limit the delete action on 'messages' collection only on docs with the same email of the current user.
In this way, the user is only able to delete their messages, but not the others.

Final thoughts

Teta CMS makes it easy to integrate policies into the database.
With them, you can increase the security of the back-end, preventing unwanted actions by users.