Adding activities to feeds whose id don't match with the current user

Question

I am building something similar to Trello where people can watch boards for notification updates and I quickly realized users can't add activities to feeds that don't match uid unless configured manually. (See GitHub issue: https://github.com/GetStream/react-activity-feed/issues/23)

I can see why permission needs to be denied as this can be a security concern. But then in the case of Music app like Spotify (https://getstream.io/docs/#social-network), how can users add activities to "playlist"?

So, my questions are:

• Would manual configuration raise any security concerns?
• If we don't configure it manually, how could users add activities to "playlist"? Is there any way to add activities without doing it on the server?

Answer 1

When feed type is configured for shared write access it means that any user would be allowed to write to any feed with that type. So if you have a playlist feed type configured for shared access user A would be allowed add/delete activities to playlist:B instead of only being allowed to write to playlist:A Whether this is a security concern is dependent on the system you are trying to build.

Doing this operation via a server under your control you can ensure no invalid operations are permitted.

For your case you could use follow following to get other users' board updates to their notification feeds.