suppressAuth option not working

Ask the community
, ,
1

Hello,
I have the following in my backend code, via a backend web module:
let options = {
“suppressAuth”: true
};
const response = await wixData.query(“”, options)
.eq(‘memberId’, userId.toLocaleString()) //+ userId)
.isNotEmpty(‘’)
.count()
.then((num) => {
subscriber = num;

The collection is only visable by admin users by design for security purposes. When I log on to the site and hit the page that runs the query above as the admin user everything works without issue. However, if I am logged in to my site as a non-admin user I get the following security error when hitting the page that initiates my backend code:
“[“WDE0027: The current user does not have permissions to read on the collection.”]”

How do I get around this issue? I thought the suppressAuth option was specifically for this use case.

Any suggestions would be appreciated.

2

Have you not already answered the question in your own question?

The collection is only visible by admin users by design for security purposes. When I log on to the site and hit the page that runs the query above as the admin user everything works without issue.

However, if I am logged in to my site as a non-admin user I get the following security error

As for Wix Data Options, you might be best to put both in for suppressing both hooks and checks, however this is to be used more for datasets that you can’t read to begin with like the Wix Members app and its own Members/PrivateMembersData collection.

If you set your dataset as admin permission only, then I don’t think that this Wix Data Options will overwrite the admin only permissions that you have set on your dataset.
https://support.wix.com/en/article/about-collection-permissions
https://support.wix.com/en/article/changing-your-database-collection-permissions

More to the point, if you set it up to be admin only, then you won’t be able to use it for the rest of your site members unless you make them admin too.

https://www.wix.com/corvid/reference/wix-data.html#WixDataOptions

Use data options to prevent permission checks and hooks from running

import wixData from 'wix-data';

// ...

let options = {
  "suppressAuth": true,
  "suppressHooks": true
};

wixData.get("myCollection", "00001", options)
  .then( (results) => {
    let item = results;
  } )
  .catch( (err) => {
    let errorMsg = err;
  } );
3

Thanks for the response. I was going off of the following post, on the theory that I could lockdown a database so that only the backend would have access to it:
https://www.wix.com/corvid/forum/community-discussion/security-in-databases

" See the article Calling Server-side Code from the Front-end with Web Modules for information on backend coding. In the .jsw (web module) file, write queries just as you would in the page code. You’ll just need to include the import of the wix-data API at the beginning of the file:

import wixData from 'wix-data';

You now call the backend (web module) functions from your page code as described in the article (and as shown in comments in the .jsw file when it’s created. Since the queries are in the backend, you can then use suppressAuth to access a “locked down” database collection."

4

The query() function does not have the suppressAuth option . You should be using the suppressAuth option in the count() function .

5

Thanks Yisrael! Now it is working as your previous article detailed, I just had the options in the wrong place. I now have a database that is only referenced by the backend (which has admin privileges) and users with admin privileges.

For reference I changed the query to:
let options = {
“suppressAuth”: true
};
const response = await wixData.query(“”)
.eq(‘memberId’, userId.toLocaleString()) //+ userId)
.isNotEmpty(‘’)
.count( options )
.then((num) => {
subscriber = num;

6

i write this code but not working
I face this error ( Error: Permission denied: {“message”:“Read not permitted”,“details”:{}}. )


let  options = {
"suppressAuth": true
};
wixData.query("Stores/Orders")
.count(options)
.then((num) => {
  console.log("Numbers is :" , num)
  } )
  .catch( (error) => 
  {
  let errorMsg = error.message;let code = error.code;    console.log("Error message: ", errorMsg)    console.log("code error" , code)  } );
7

Is this code in the backend?

8

no in javascript

9

I understand that it’s in Javascript. But is it in a frontend file or backend file ? The suppressAuth option only works in backend code.

10

but now i write this code in backend same errore

11

Please post the editor URL of your site. Only authorized Wix personnel can get access to your site in the editor. Please include the name of the page involved.

12

@mhghamza If you post the URL of your site, I can take a look.

13

When Yisrael asks for your Wix Editor URL, he is asking for the URL address which is shown in your web browsers address bar, for when you are logged into your Wix account and using the Editor itself.

So whether you are using Wix Editor or X, it will still be the same address that is shown in your browsers url address bar.

You would need to post the whole url address shown in the address bar

As Yisrael has already stated only Wix can access it so it is secure:
Only authorized Wix personnel can get access to your site in the editor.

Otherwise, just do what Yisrael has posted last for you to do and provide the website url address of your website if you have published it.

So that would simply be something like…
https://www.your-website-name-here.something
Please add the name of the page or pages where you are using this code.

Or link directly to the required page itself in your web link.
https://www.your-website-name-here.something/your-page-name

14

I would also recommend having a read of Andreas Kviby old forum post here and watch his video too, although please note that Andreas has not been associated with Wix for a good while now, so don’t try to respond to him as you will not get a reply.
https://www.wix.com/corvid/forum/community-discussion/creating-backend-modules-and-learn-how-to-use-them

Also, make use of the already provided links on this forum post and have a read of them to help you try to understand how the Backend and Backend functions work and how to apply Wix Data Options itself.

15

Finally, please add a new post next time with a link to refer back to this old post, instead of bumping up an old thread from 2019, thank you.

Sometimes old posts contain outdated or wrong code or a new API has been released etc, so it is always better to start afresh so that you are not mixing up any old and new code.

16

Hello Yisrael, I’m coming at this late but…

  • I have a collection whose permission is set to MemberGeneratedContent.
  • I have a server side function that calls to wixData.removeReference(coll, refField, collID, insertStr, options) with all the parms set properly and the suppression options both set to true.
  • If I log on as website admin, the call works and the item is removed
  • If I log on as a website member, it fails with WDE0027: The current user does not have permissions to update on the MemberExtended collection.

Originally, I tried this from the client side and when it failed with site “members” I followed the info from this and other threads to move it to the server side.

here is the server-side code:
export function removeFromReaderlist(coll, refField, collID, insertStr)
{
let options = {
“suppressAuth” : true ,
“suppressHooks” : true
};

    console.log( "server side remove from read list for: "  + insertStr) 
    wixData.removeReference(coll, refField, collID, insertStr, options) 
    .then( () => { 
        console.log( "Reference removed" );

return true
// console.log(“Reference removed”);

    } ) 
    . **catch** ( (error) => { 
        console.log(error);

return false
} );
}