Hi !
I have been playing around with privacy rules to secure my app, but I feel a bit constrained.
Basically, I would like to show a profile page for each of my users (visible to logged users and visitors), BUT I don’t want to expose the list of all my users to anyone who knows how to do a query in the console.
So ideally, I would unclick ‘find in searches’ in the Users privacy rules, but it seems that giving the ‘profile’ page a data type and assigning it a user ID then behaves like a ‘do a search’ so the page returns empty.
How would you go around doing that ? Am I missing something ?
Thank you !
What do you mean by ‘visitor’? Is this person given a unique URL to view the page?
The best way to do this would be to uncheck the ‘Find in searches’ by default. Add two privacy rules that grant search rights:
- This user is current User
- Current User’s Temporary Access Token = This user’s Token
The token would be a secure code randomly generated when a User signs up. When a user shares to a visitor a link to view their profile, you would add a parameter to the URL with the Token.
On visitor page load, if a Token exists in the url, make change to the Current User and set their Temporary Access Token field to the Token in the URL. This will give them search rights and privacy accesss to the data defined by Rule 2.
Because privacy rules are determined server side, and don’t live update, you might need to run a page refresh for Rule 2 to kick in.
A visitor would be any person that is not logged in.
The page would be a ‘profile’ page with data type User and its URL would be https://myapp.com/profile/[visited-profile-user-ID]
You will have to use a method similar to what I outlined above.
Append a token to the URL when the user shares it with a visitor.
OK thanks 
I will try something along those lines.
