[SOLVED] Provide Access to specific attributes only

Hey team Appwrite hope you are doing well. I want to ptovide custom access for every of my attribute in a collection. Like for example, in a posts collection there is an array of likes having ids of users who liked the post. I just want to allow the users to update only likes array not the whole post. Means they can only like the post and their ID gets added in likes array of posts collection. Providing no access to other attributes of post collection.

TL;DR

The user is asking for a way to provide custom access to specific attributes in a collection. They mention workarounds such as using Appwrite Functions or creating one-to-one relationships. They also suggest creating a function that triggers when someone likes a post to update it on their behalf. The user asks if this is a good practice and if there are plans for attribute level security in Appwrite. It is suggested to create a different collection for the likes attribute. The core team suggests opening an issue for this feature request. At the moment, Appwrite does not support attribute level security.

For now Appwrite doesn't support attribute level security

Instead you will need to have a different collection

Or document

Or document in a different collection

Yep then having a document in a different collection is good to go. And are there any plans to bring attribute level security?

For now it doesn't seems planned as far as I know 👀

Okey thank you @D5 for your valuable suggestions. And yes if you request to the Core team to add it in the roadmap it would be great. Because at this moment we don't have stable relationships and if we have to create multiple collection for such tasks the we will have to run more queries that is more resource consuming process.

It would becoke easy to query from multiple collections if we have stable relationships.

And one more thing i have an idea to create a function that gets triggered when someone likes post and it updates the post on its behalf. In this way user will not be allowed to directly access the permissions of update. Is it a good practice and a safer one?

Please, don't tag core directly 😅

You can still make relationships manually

I can't find any issues opened with this request. You could open one

As its related to this post so i think we should proceed with this one instead of creating another with same title/questions.

@VincentGe can you look into this with engineering to see if this is in in a near future roadmap? 🙂

Yep!

We've seen this suggestion

What we'll try to solve is how to limit access to individual attributes, might or might not be through permissions, but the underlying problem needs to be sovled for sure

@VincentGe please throw some light on the above mentioned work around, is it secure and good to go until we get a custom solution by Appwrite team.

There are many workarounds, doing a one to one relationship and restricting access this way, using Appwrite Functions, using events. These are valid.

I would just stick with an Appwrite Function for now, it's probably the most flexible approach.

Need support?

Join our Discord

Get premium support

[SOLVED] Provide Access to specific attributes only

Recommended threads

Need support?

Join our Discord

Get premium support