Security is an important aspect of Cloud Functions. Often a Cloud Function is used to perform important system tasks or returns sensitive data. You must pay special attention to ensure that such functions are only invoked by the project owner at the proper time, with the proper arguments.
Even if a Cloud Function has no way of breaking your app and is not presenting a security risk, it is not recommended to let everyone invoke it at any time. Having many invocations might build up your bandwidth and cause you additional charges.
To handle those scenarios, Cloud Functions support permissions.
By default, when you create a Cloud Function, the resulting endpoint can be invoked by users in all currently existing roles, including the Anonymous role.
Newly-added roles in your application are not allowed to call these endpoints. You need to set the permissions for the endpoint to accept requests from users in these roles.
You are advised to change the default set of permissions. In case you decide to keep it, ensure that you take into account all possible parameters and act accordingly. Even if you are making the right calls to the endpoint from your app, someone might find out the endpoint URL and execute it with whatever parameters they want.
To set an endpoint's permissions click the gear icon next to the Cloud Function name and select Permissions from the drop-down list.
If you need to be able to restrict the access to a Cloud Function, you can adjust the permissions to allow it. Just as in content types, Cloud Functions support role-based permissions. For example, you may want to allow only users in the Registered or in a specified role to be able to invoke a Cloud Function.
If you need to fine-grain the security of your Cloud Functions, you have yet another option. Within the Cloud Function you can read information about the principal who initiated the function call by examining the
request object. You can then decide what to do, based on this principal and the function parameters.
You can even implement your custom authentication, completely independent from the Telerik Platform security system. As mentioned above, in the Cloud Function you have access to all request parameters, so you can implement your own authentication mechanism there.
See Introduction to Business Logic Permissions to find out how to manage permissions programmatically.