DmitrySharabin
commented
4 years ago Other useful quotes from the corresponding issue in the Mavo repo:
Ideally, the remote backend would read these permissions, verify them with the admin when they are logged, and set them remotely too. But even backends that require setting permissions separately need to reflect them into the UI somehow.
Unfortunately, that leaves the question about data structure open. Firebase security rules are not filters: we can only use some built-in variables and get access to some piece of data in the queried documents before letting users have access to its full content.
If a permission is provided without a value, the implied value is "everyone".
i.e. public for now.
To start working on this feature, I need to clarify a couple of things.
Firstly, every property and its value (values for collections) needs to be stored with some extra metadata:
userproperty, which is provided by a backend or any special properties provided by Mavo, e.g.,$creator,$user, etc.Does it mean that for now, we need to define a new storage format for the Firebase plugin? I suppose yes. Because for now, the plugin stores the JSON file provided by Mavo, and it hasn't got any metadata. Firebase adds some extra data, but they are about the file itself (an id of a user created/modified the file, date and time of its creation/modification, maybe something else, I'm not sure), not its content. A new storage format would become some kind of polyfill till the Mavo core gets the granular permissions feature.
Secondly, in this issue, Lea describes new attributes for granular permissions (I know it can be a WIP, but I need some starting point):
mv-can-view,mv-can-edit,mv-can-add,mv-can-delete. And here we can find the set of values for them:public,own,no.Questions:
mv-can-saveattribute, do we?mv-can-editattribute, we automatically propagate its value to themv-can-addandmv-can-deleteattributes if their values are not specified explicitly, don't we?@leaverou Lea, will you please have a look at my thoughts? Did I miss something?