Advanced Privacy Rules?

Hello,

I’m building an app that includes Projects. I have a permissions model that enables users to either edit, comment, view, or do nothing on a given Project. The way I currently have this implemented is via a Contributor model. A Contributor is a User + a Capability (can edit, can comment, etc.). Projects have a Contributors field, which is a list of Contributor objects.

I want to set up privacy rules so that Users who don’t have appropriate permissions for a given Project can’t see any of that Project’s data, but I’m struggling to do that with the privacy rule definitions.

I’d like to do something like:

this projects:contributors:filtered('can edit'):each item's user contains current_user

Is there a way to do a more advanced query for a privacy rule?

I thought of having Project fields for editors, commentors, and viewers, each as a list of Users. But, that seems like it doesn’t give me much flexibility to add new permissions levels in the future, and it makes it more difficult to list out the Users that have any permissions for a given Project.

Help and advice appreciated.

Thanks!

2 Likes

Sorry to revive - did you find an answer for this? I too am looking to use a filter in a list to determine if the user is in a list of contacts.

In my case we have:

User
CRM Contact (Link Type, Linked User)
CRM Service Demand (List of CRM Contact’s)

I am trying to give the user the permission to view the CRM Service Demand, if they are within that list of contacts

Apparently this post goes on every couple of years. Lol.
I have just started my search and found this one. But b solution yet.

I’m facing the exact same issue. Having an advanced per project privacy rule seems to not be feasible.

I’m setting my mind to use a partial approach, mixing Privacy Rules with in-search filtering.

@justing @cliffwoodjames @stefano ,
I would assume that you have your Capability options (can edit, can comment, etc.) stored in an Option Set called “Capability”.

How about this expression:
Current User is logged in and This Project’s Contributors contains Current User and Current user Capability is Can edit

Does this work for you ?

Hey @ahmed.elkaffas1 thanks for hopping in.

Your solutions seems fine, but it still doesn’t cut it. At least for my current DB structure.
Let me show you:

Here’s a diagram exemplifying. My current structure allows for a given user to have different access levels for different locations - a one-to-many relationship.

So placing a user with a certain access listed on two companies, with the suggested Privacy Rules, will allow said user to have the same access level on both, which may not be true.

The current setup makes use of relational tables (Data Type) connecting User-Permission-Location, so for the privacy rules to work I’d have to make a search for User and Location under a certain permission.

Unfortunately we can’t do that.

As I was writing this a possible half-workaround came into my mind, so as to at least have some privacy rules and not rely 100% on frontend filtering.

I could add to the Locations a list of users permitted there as a Privacy Rule. That way I can at least guarantee that Privacy Rules are active and data is somewhat private; and it may have the added benefit of simplifying my filters on the Frontend.

The downside to this solution is that it will be very easy to get un-synced data, as I’ll have two sets of repeated data: User-Location-Permission and List of Permitted Users (under Location).

@stefano Thanks for sharing more info.
Well, I believe you have the list of possible actions / permissions in an Option Set
and as you say, each user can have multiple actions on multiple locations, but this doesn’t necessarily mean that the actions User A have on Location A are the same actions he has on Location B.
In which case, I believe you might have already a field in your User data type called “Location” which says this user belongs to which Location, I would suggest on the other hand side you can create a list of Users in the “Location” data type which says who are the users of this location. This is called 2 way linking. Also in this case, I would assume that your list is not so long, in other words, the number of items in each list is limited, maybe around 30 items maximum, if this is the case then go for it while if the list in any table might be longer then we have to find another way.
About the un-synced data risk, yes that’s right, but you can overcome it with triggers on both tables to guarantee that the data is always up-to date on both sides.
Hope this helps !