API rule join syntax for "sharing" records with other users? #4476
-
Hi team, wondering how you'd approach this query that (I believe) needs an aliased join. Very hard to debug these rules (requires an edit and then running a few queries as a test suite) so hoping you might have some insight! Here's a super simple MVP schema to illustrate;
Here, a user is allowed to edit any -- Story permission:
@request.auth.id = author.id Now they want to invite some collaborators. The best way I can think of doing this (for arbitrary, large number of collaborators) is a separate collection that stores the permission. (i.e., I'd rather avoid a list of relations, since I think that's an anti-pattern here?)
In this toy example I want any user who has been granted permission to a book to be able to edit the constituent stories. -- Story permission:
-- I am the original creator,
(@request.auth.id = author.id)
||
-- Or I have been granted permission to a book:
??? It seems that this is a new feature with the |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
@ganigeorgiev apologies for the misfiled discussion, thank you for moving! |
Beta Was this translation helpful? Give feedback.
-
It depends on the desired data flow. The main cons of having a multiple For your particular example using a separate collection is may be the better approach, although I'm not sure that I fully understand the desired behavior (ex. is the If you use PocketBase v0.22.0, here is a slightly modified version of your last rule: // Story permission:
// bail out early to avoid the other checks and
// to ensure that there is no situation where it will match "" = ""
@request.auth.id != "" && (
// I am the original creator,
@request.auth.id = author
||
// Or I have been granted permission to a book
// (similar to @request.auth.EditPermission_via_grantee.book ?= book)
@request.auth.id ?= book.EditPermission_via_book.grantee
||
// and maybe if you want to allow access to the book owner
@request.auth.id = book.owner
) (note that we use If for some reason you don't want to use the back-relation syntax and want to perform manually the join, the equivalent of (
@collection.EditPermission.book ?= book &&
@collection.EditPermission.grantee ?= @request.auth.id
) edit: updated the rule with check for |
Beta Was this translation helpful? Give feedback.
It depends on the desired data flow. The main cons of having a multiple
relation
field directly in theStory
collection is that anyone who can modify the story will be able to add/remove relations (unless restricted programmatically with Go/JS or some complex API rule). For example, this is usually useful when you want to assign multiple tags, categories, labels, etc.For your particular example using a separate collection is may be the better approach, although I'm not sure that I fully understand the desired behavior (ex. is the
book_owner
field needed?).If you use PocketBase v0.22.0, here is a slightly …