Private and Public simultaneously?

My app is a marketplace. One side creates product quotes, the other purchases from them. For the purchasing side, I would like to create a eventual log in with a UI to access all their quotes AND a low friction way for them to get emailed links to quotes in order to view without login.

I would like to reasonably protect other people from seeing other people’s quotes.

Here is my initial plan:

  • Quotes privacy- viewable by all, searchable by only “quote owner”
  • The link I send for “non-logged-in” users, will be sent with a link code parameter for simple link authentication.

I am concerned about when a user is logged in. Will they be able to see other people’s quotes?

It seems they will not be able to search for it, but can they “hack” their way into the quote if they know the unique id?

And if this is unclear here is an example:

  • I can be sent a Docusign link via email. I can access and sign it without logging in. However, to my knowledge no one can log into the user interface and see everyone else’s documents.

This would operate just like google sheets shareable links. You have two options with sharing a google sheet. 1 - you can share a public link or 2- only a link that’s viewable by a specific google user after logged in.

You could do the same.

This would be based on your privacy settings. You can have a repeating group with all links, but filtered by who created or who has permission.