If I have unchecked everything under title/api features. Can I assume the only action a clientAPI call can do is Link/Unlink/Register account?
For security reason, I want the user to be able to Register an account, link and unlink auth method. All other function should be perform server side.
Can you confirm it would be the case?
No. Unchecking everything under Title/API Features only disables specific APIs for client since these APIs allow client to cheat.
If you want to disable other client APIs, you can go through this document: API access policy, to setup your API access policy.
If you are looking for a whitelist for Client API access, you can checkout this thread: https://community.playfab.com/questions/43440/whitelist-for-client-api-access.html
No. Unchecking everything under Title/API Features only disables specific APIs for client since these APIs allow client to cheat.
If you want to disable other client APIs, you can go through this document: API access policy, to setup your API access policy.
In Addition, if you want a whitelist for Client API access, you can checkout this thread: https://community.playfab.com/questions/43440/whitelist-for-client-api-access.html
I've try to create an API Policy this way
The code work. but the function LoginWithCustomID is not allowed, seem the Deny All overwrite previous allow.
Is there a way to Deny All, except what you want to allow?
And beside listing them one by one, is there a way to do something like pfrn:api--/Client/Login* to allow all Login command?
Thank
I think you should remove the policy below instead of replacing the “Allow” with “Deny” in “Effect”.
{
"Resource": "pfrn:api--*",
"Action": "*",
"Effect": "Allow",
"Principal": "*",
"Comment": "The default allow all policy"
},
Once removed, it will restrict all client API by default, then you can add the allow policy to allow the APIs as you desire.
Yes, you can add things like pfrn:api--/Client/Login* in the “Resource” to allow all APIs whose name begin with “Login”
2 People are following this question.
