Reputation: 113
Parse - Using User ACLs to share user information
I've got a question about the best way to allow user's information to be visible between users in certain situations.
For example, my app will have a "FriendRequest" class to model friend requests between users. The "FriendRequest" class has two User pointers, "toUser" and "fromUser".
I also set a default ACL for all user objects to restrict access to that user only for read/write.
My question is, when a user sends a friend request, I add the pointers for each user, and set the ACL of the "FriendRequest" object to allow both users to read and write to that object. However, when the user retrieves the friend request data, the "fromUser" data is not returned from the query because the ACL of the "fromUser" allows access to only that user - not to the other user who receives the friend request.
What is the best way to allow this data to be visible? Whenever a "FriendRequest" is created, should I add read permissions to the "fromUser" ACL for the "toUser" to be able to read it's information?
Any help is appreciated!
Thanks
Upvotes: 3
Views: 4775
Answers (1)
Reputation: 1249
Ok lets setup some sample data to make the example problem clearer.
In the Users table:
{objectId:"BBBB", name:"Bob", age:18, email:"[email protected]", ACL: only Bob Read/Write}
{objectId:"JJJJ", name:"Jane", age:27, email:"[email protected]", ACL: only Jane Read/Write}
So Bob sends a friend request to Jane. You create a new object in the FriendRequest class.
{objectId:"XXXX", fromUser: <ptr to BBBB>, toUser: <ptr to JJJJ>, ACL: Bob and Jane Read/Write}
In your current setup, since you have setup the ACL so that noone else can read them.
Option 1
As you have suggested, when Bob makes the request to Jane, since it is initiated from a device where Bob is logged in, he can add Jane to the ACL. You will then need to remove Jane from the ACL either when she accepts or rejects the friend request, or perhaps after a certain amount of time.
This is simple when Jane needs to request data from Bob, as she can pull it from his user class, however it requires more management later on (ensuring the ACLs are reset properly later on, using a scheduled task to ensure that all friend requests not resolved after 2 weeks are "rest", finally, if there is some reason you are securing all user classes so that they are read only, temporarily making all of Bob's attributes readable to Jane might be a bad thing.
Lazy Option
You could just make all users read-to-all. More insecure obviously and something I imagine you want to avoid since you are using ACLs and posted this in the first place.
Data Duplication Option
This requires temporarily data duplication, but then you are only the specific information you require, nothing more. Say you want name and email but not age from the user.
{objectId:"XXXX",
fromUser: <ptr to BBBB>,
fromUserName: 'Bob'
fromuserEmail: '[email protected]'
toUser: <ptr to JJJJ>,
ACL: Bob and Jane Read/Write}
So when Bob creates the request, he puts his own info into the request object. Jane can read this info. Once the request is complete, you could make it so that Jane could read Bob's data, or you may have some other table FriendRelations which described these relationships (again, duplicating relevant data if this made things more secure for you).
Upvotes: 3
Related Questions
- Get user info from ACL in parse cloud code
- Parse - Is this the correct method on how to use ACL and CLP to protect Users and other Objects
- How to control Parse ACLs on public level
- Parse User object ACL
- Parse for iOS : ACL for more than one user
- ACL for two users on the same object
- Parse Users with Roles
- Parse - using ACL for future users
- Property-Level Access Control in Parse
- How do I prevent a parse.com user from seeing parts of their user data? aka set ACL per field on User class?