Right now the User Access Control is handled by Views by filtering data based on user, although guessing a document ID is far fetched, I'm paranoid about the fact that it can be accessed if that possibility is proven right.
Point in case, if the Document ID is known, one use is able to access another user's job application.
This should be addressed programatically, where a conditional check should be possible to check if the entity belongs to the user before access to that entity is given.
These are two ways I think it can be approaced:
In permissions there can be a owner definition
In CRUD Hooks a beforeRead can be introduced where a condition like this
if (Entity.owner.id !== User.id) { throw new Error("Forbidden"); }
Right now the User Access Control is handled by Views by filtering data based on user, although guessing a document ID is far fetched, I'm paranoid about the fact that it can be accessed if that possibility is proven right.
Point in case, if the Document ID is known, one use is able to access another user's job application.
This should be addressed programatically, where a conditional check should be possible to check if the entity belongs to the user before access to that entity is given.
These are two ways I think it can be approaced:
permissionsthere can be a owner definitionbeforeReadcan be introduced where a condition like thisif (Entity.owner.id !== User.id) { throw new Error("Forbidden"); }