Open sanderpick opened 4 years ago
Any progress on this?
Firebase has some interesting ACL ideas for document style data. https://firebase.google.com/docs/reference/security/database
That JSON ACL doc structure looks good :+1: Just also wanted to put collection and record level ACL on the radar. @andrewxhill did mention that would be a second release on ACL but chiming in here as well. It would be nice to make it so that for example a group of users can all ready the data in a thread or collection (done by your read permission above), but also that only the user that created the record can edit or delete that particular record.
Does the caller control the associated private key?
Is there a way to verify this already locally (different from the API key context creation for the hub)? Think I heard someone mention that but can't find it in the docs.
For each new thread, a JSON ACL doc can be built by the client lib:
Some notes:
*
is anyone.thread.ID
. This means that the ACL and it's rules can be independently verified / enforced by anyone who has the ACL andthread.ID
.This PR is enabling the last piece.
Originally posted by @sanderpick in https://github.com/textileio/go-threads/pull/293#issuecomment-606789989