I’m having troubles configuring my privacy rules. I guess I can’t have all that I need using this setup.
My app has two tables:
- User: Contain an “Is System Admin?” boolean field (default is “no”).
- Things: Contain an “Owner” list that list all the Users that should be able to write this table.
There are two scenarios where Users should be able to write at Things:
- If Current User is system admin.
- If Things’s Owner list contains Current User.
The layout of website will have different components accordingly if user is System Admin or Things’s Owner.
Now is the part that is being tricky to me: I’m assuming (maybe wrong, let me know) that a malicious user can change a field using browser console once it has access to it (allowed by Privacy Rule, required to mount the page components accordingly to its “profile”).
- How I supposed to check if this user is System Admin or Things’s Owner, but at the same time not give User access to change its boolean (or add himself at Things’s Owner list)?
- Is there a better approach for this relationship of a group of Users owning another Thing?