[SOLVED] Conditional access to documents

You use either the user cookies, or a JWT if you make a server/function request

My idea is that it shouldn't be placed in the database in the first place. And then run functions after, which would be a bit inefficient right ?

Shouldn't or should?

If the request is invalid that is user_id does not match the user id of the user i.e. User tries to create a document with user_id that violates this condition

so we don't want to encourage that right?

So, you have multiple options. You can get the userId from /v1/account (see docs using SDK). Then check in your code if the userId is the same or not. If not then fail. You can also use functions, which would be easier and also server-sided.

For server-sided, you need to send a JWT token to the function, so it "works like a user"

Ok, so I invoke function as a user, and then the function adds it into the collection, is that correct ?

What do you mean?

The appwrite function is executed(https://appwrite.io/docs/products/functions/execution) by the user to add data to the collection. The function is written so that it creates the user_id (from the JWT) in the document.

Is this flow correct ?

And?

Basically it will be something like this:

• User -> Appwrite -> Function -> Appwrite -> User

All this is performed fast so I don't think there will be any problems. At least in my case execution time is something like 500ms having in mind it does a lot more things apart from creating documents, like sending notifications to all my users, getting user's ID, doing a specific check and creating documents. All of this without being optimized, so in other words it could be improved to something like 400ms or maybe less.

It's Dart runtime so It's compiled. In node or other runtimes maybe it runs a bit slower

You are right, it won't take as much time but, there is no response of status For example, if users are not allowed to delete documents, and if the user tries to delete then, he would receive a 401. This is what I need when user tries to create a document with a mismatch in the user_id (user_id in document does not match the user id of the user)

Function always has permission

If you forbid the permissions to execute the function, you will get a permissions error response

If you do the permissions check in the function you can return a custom response

Sorry, I don't understand what you mean by custom response. Here I see, createExecution and getExecution. https://appwrite.io/docs/references/cloud/client-web/functions Are you asking me to long poll for the status?

createExecution() will return whatever you return from the Function (assuming it’s not an async Function)

I see.

Thank you so much @fafa @D5 @ideclon 🙇‍♂️ 🙇‍♂️

If this is solved, please add [Solved] at the beginning of the title, thanks!

[SOLVED] Conditional access to documents