Create Documents that should be visible to only users that created them

Hello folks! In my flutter app, I want to allow users to only be able to read/update/delete the documents that they themselves created. I've already created an email session and stored the userId in my localstorage using shared preferences. I'm trying to assign permissions while the user is creating documemts by doing this:

TypeScript

taskList.forEach((task) {
        AppwriteService.database.createDocument(
          databaseId: Strings.databaseId,
          collectionId: Strings.collectionId,
          documentId: ID.unique(),
          data: task.toJson(),
          permissions: [
            Permission.read(Role.user(Constants.userId)),
            Permission.delete(Role.user(Constants.userId)),
            Permission.update(Role.user(Constants.userId)),
          ],
        ).then((value) {
          if (value.data.isNotEmpty) {
            print('Success');
          }
        });
      });

But I'm getting an error saying "AppwriteException (AppwriteException: user_unauthorized, The current user is not authorized to perform the requested action. (401))". What exactly am I doing wrong? Also, should I be doing it this way (the taskList I am iterating through is a list of all tasks I want to store for that specific user).

I'm using Appwrite cloud, not local

TL;DR

User is trying to set permissions on documents they are creating in their Flutter app using Appwrite cloud. They want to allow users to only read/update/delete the documents they created. They are getting an error saying "AppwriteException: user_unauthorized, The current user is not authorized to perform the requested action. (401)". They are asking for assistance on what they are doing wrong and if their approach is correct. Solution: The user needs to ensure that they have the appropriate permissions set on the collection. By default, no users have access to create documents, so they need to set the permissions on the collection to allow the intended actions

What permissions did you set on the collection?

Umm I need to set permissions on the collection?

Yes, by default, no users have access to create documents

Oh! Okay I updated my collection permissions and have allowed everything. I'll try again. But I'm curious as to why collections have no default permissions. I mean wouldn't it make more sense to keep a create and update permission by default?

No because what if you really don't want anyone to be able to create anything?

And we'd rather have secure/no access by default rather than have users accidentally expose their collections

what's the db structure like?

Does each user have a collection for them? Or does each user have a document in the collection?

Also, have you enabled document security on the collection?

I initially was going to do a separate collection for each user, but after a discussion in <#564160731327758347> I learned that Appwrite has permissions through which I can achieve the same result I want. Essentially I want a user to be able to view/update/delete only the tasks they've created. I'm actually a newb at designing backends/dbs so I would appreciate any input on which approach to take: Whether to create new collection for each user or use document permissions.

Yes

In general, I recommend starting with a collection per data type. Then, you can break things out into separate collections as needed

Alright, thanks! I'll update on what happens with the permissions as well!

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support