Granular permissions? #1
Comments
|
Hmm.. interesting. This would however mean that the authors would have to enter their firebase secret token somewhere every time they want to update the rules. (to my understanding you need to use a secret token to update rules) |
|
Don't the other backends enforce permissions based on the login? I know I can't write to your GitHub or Dropbox. The way the Firebase code is now, it expects you to put a rule for public read and write. So why put the public write rule? |
Ideally the rules would be specified in the Mavo HTML itself (so that Mavo also uses them in the UI) and when the admin logs in they would be synchronized (potentially with a confirmation). We discussed syntax with Lizzie a few months ago, this is the thread: lizziew/mavo-firebase#1 If we need a secret token to update rules, what about asking for it once, then storing it in a private field that only the admin can read, or in local storage? |
Yes I agree.
Not a big fan but it way be worth it. |
Not sure if I understand what you mean. By default the permissions for an unauthenticated user is read and login. Same as GitHub and Dropbox. However you can override that by using |
The real power of Firebase is that it's the only Mavo backend that supports granular permissions, e.g. being able to edit/delete your own objects only but not other people’s. It would be amazing if this was supported and the relevant rules generated and stored on Firebase (since people don't necessarily know how to write rules).
Would you be interested in working on this?
I would need to make a few changes on Mavo to support it, but I would be more than happy to.
The text was updated successfully, but these errors were encountered: