In our app, users can create events (in which case they are the organizer) and they can attend events (in which case we call them users).
We want organizers to have access to details about their event, but not details about events that other user’s organized. We have pages (e.g., event-details) for the organizer to view those details.
What’s the best way to set-up security for this at the page-level? Seems to me that we’ll want to search for the organizer of a particular event on that page and check to see whether it matches the user. Would be nice to include this from a re-usable element in the header, but then it’s not easy to lookup the particular event (I’d normally do so with a hidden value, but that seems insecure, so would consider trying pulling the event ID from the URL). Any other thoughts?
What’s the best way to set-up security for this at the database level? I presume there’s a way to set it up so that the organizer of an event has access to different details than users of that event, just by setting up different roles. Can anyone confirm whether this is the case?