Restricting Post Visibility to User’s Friends using Privacy Rules in a Social Networking App

Hello Bubble community! :wave:

I’m currently working on a social networking application, and I’ve encountered a challenge related to post visibility. The structure of my data is as follows: Users, Posts, and Friendships. Users can establish multiple friendships and create numerous posts. My goal is to configure the system so that only friends of a user can view their posts. Given that a user may have an extensive network of friends, potentially exceeding 100, appending a “friends” attribute directly to each post could be detrimental to performance.

My question revolves around the use of privacy rules to manage data access. Would it be advisable to create a PostVisibility data type? This table would have a PostID column linked to the Post data type and a UserID column for the friend who can view the post. When a user creates a post, I would insert a new record into the Post table and then populate the PostVisibility table with entries for each friend. To retrieve the posts visible to a specific user, I would perform a query that joins the Posts, Users, and PostVisibility tables, filtering by the user’s ID in the PostVisibility table.

Is this a good approach, or could there be a more efficient method? Also, if I introduce a Comment data type that allows friends to comment on posts, should the PostVisibility concept be extended to comments to maintain privacy?

I am looking for a database architecture that supports both efficient and secure viewing permissions through privacy rules that ensure posts are accessible only to friends. I’m eager to learn of any strategies or best practices that might effectively address this situation. If anyone has faced a similar challenge, or can offer insights into setting up such permission structures, your guidance would be invaluable. Thanks in advance.

If you want to use the privacy rules you have to:
Either in the post data type add a field of type list of users to store the users who can view the post.
Or in the user data type add a field of type list of users to store the friends.
Both approaches are not effective since the user may have a lot of friends. And I can’t find any value for creating a PostVisibility data type.

But why do you need privacy rules for this? I mean why not just use the constraints in the RG?

@salemmo409, I’m inclined to implement privacy rules for their robust security features. However, if they don’t meet my requirements, I’m willing to consider applying constraints to the repeating group as an alternative solution.

I believe that the using of the constraints is the basic solution for your case and the privacy rules are the alternative and wrong one.