API rule join syntax for "sharing" records with other users?

[j6k4m8]

Hi team, wondering how you'd approach this query that (I believe) needs an aliased join. Very hard to debug these rules (requires an edit and then running a few queries as a test suite) so hoping you might have some insight!

Here's a super simple MVP schema to illustrate; Users write Storys and collect them in Books.

Story
    text:    string
    author:  →User
    book:    →Book

User
    id
    username

Book
    owner:   →User

Here, a user is allowed to edit any Story for which they are an author. Fine, easy:

-- Story permission:
@request.auth.id = author.id

Now they want to invite some collaborators. The best way I can think of doing this (for arbitrary, large number of collaborators) is a separate collection that stores the permission. (i.e., I'd rather avoid a list of relations, since I think that's an anti-pattern here?)

EditPermission:
    book_owner: →User
    book:       →Book
    grantee:    →User

In this toy example I want any user who has been granted permission to a book to be able to edit the constituent stories.

-- Story permission:
-- I am the original creator,
(@request.auth.id = author.id) 
||
-- Or I have been granted permission to a book:
???

It seems that this is a new feature with the @collection and aliasing capabilities, but I absolutely cannot decode the documentation here nor the answer here for this use-case. Hopefully some help here will aid other users in a similar situation :)

[j6k4m8]

@ganigeorgiev apologies for the misfiled discussion, thank you for moving!

[ganigeorgiev]

I'd rather avoid a list of relations, since I think that's an anti-pattern here?

It depends on the desired data flow. The main cons of having a multiple relation field directly in the Story collection is that anyone who can modify the story will be able to add/remove relations (unless restricted programmatically with Go/JS or some complex API rule). For example, this is usually useful when you want to assign multiple tags, categories, labels, etc.

For your particular example using a separate collection is may be the better approach, although I'm not sure that I fully understand the desired behavior (ex. is the book_owner field needed?).

If you use PocketBase v0.22.0, here is a slightly modified version of your last rule:

// Story permission:
// bail out early to avoid the other checks and
// to ensure that there is no situation where it will match "" = ""
@request.auth.id != "" && (
    // I am the original creator,
    @request.auth.id = author
    ||
    // Or I have been granted permission to a book
    // (similar to @request.auth.EditPermission_via_grantee.book ?= book)
    @request.auth.id ?= book.EditPermission_via_book.grantee
    ||
    // and maybe if you want to allow access to the book owner
    @request.auth.id = book.owner
)

(note that we use ?= because EditPermission_via_book is treated as dynamic multiple relation field; see Back-relation caveats)

If for some reason you don't want to use the back-relation syntax and want to perform manually the join, the equivalent of @request.auth.id ?= EditPermission_via_book.grantee would be:

(
    @collection.EditPermission.book ?= book &&
    @collection.EditPermission.grantee ?= @request.auth.id
)

edit: updated the rule with check for @request.auth.id != ""
edit2: update the rule to reflect the comments below

[j6k4m8]

wow this is great — will translate to my current use case and report back ASAP! thank you!!
you're right that the owner field is not explicitly needed for this example, I was going to ask a slightly different question and chickened out at the last second :)

[j6k4m8]

I think this is exactly what I was looking for, with the edit that I think the back-relation needs to be

                        vvvv
    @request.auth.id ?= book.EditPermission_via_book.grantee
                        ^^^^

To be honest I'm not quite sure I understand this syntax, but that does appear to be doing what I wanted!

[ganigeorgiev]

Ah, yes sorry. EditPermission_via_book is treated as dynamic relation field and roughly translates to:

"Join all EditPermission records that has book relation field matching the id of my filtered collection (in your case that would be the id of the Story.book relation)".

The rule could be also written as:

@request.auth.EditPermission_via_grantee.book ?= book

[j6k4m8]

this is awesome — exactly what I needed! very helpful context, thank you!