Restrict mongoDB data to document's owner


#1

Hi all,
is there a “golden way” to restrict each user to its own data?

Let’s talk about “game achivements” by my registered user.

Him will need to:

  • create records in a mongodb collection called Achivement
  • edit this records
  • view only his records

I saw the user_id_on_create and api_read_only fields but I’m not able to figure out this.

Is only a schema topic or also a service security one?

thanks!

Antonello


#2

We have some blog posts on this. You can create a server side filter on Achievement where the owner id field of the record = the value of the lookup key {user.id}. This is done as part of the role service access settings.


These were written for DreamFactory 1.x but the concepts are the same for 2.x.


#3

great posts!

Thank you!