Skip to content
Announcing the Appwrite X MongoDB partnership
Start building
Back

How to prevent listing, but allow reading from a collection?

  • 0
  • Databases
View on Discord
memoonlite
7 Jan, 2024, 06:49

Hello everyone! 😊

At the moment I have a collection named User Profiles. The purpose of this collection is to store usernames and some meta data.

The collection is accessible for all users: The read permission is set for Users. All users of my app should be able to access the User Profiles documents.

Now the problem is that a malicious person could use the Database.listDocuments function of the Appwrite SDK to list (steal) all username of my app. 🦹🏻

So I'm looking for a way so that documents of a collection can still be retrieved by ID, but cannot be listed.

My solution would be to remove all permissions from the User Profiles collection and create a cloud function "Get User Profile" that returns a profile by a given ID. But I'm trying to limit the use of cloud functions, as they're expensive.

Does anyone know if there's a way to prevent listing, but still allow reading from a collection without the use of cloud functions?

TL;DR
The problem is that a malicious person can use the Database.listDocuments function to list all usernames in the User Profiles collection. The solution is to remove all permissions from the User Profiles collection and create a cloud function "Get User Profile" that returns a profile by a given ID. However, this approach can be expensive. One alternative solution is to restrict certain attributes using relationships. Another solution is to remove all permissions on the collection and enable document security with read permission of respective users. Another user suggests using a 1-1 relationship with a cart document to restrict general users from accessing certain details.
Drake
8 Jan, 2024, 00:15

Yes, your approach sounds right.

k_vasen
8 Jan, 2024, 00:26

Removing all permissions on a collections and enabling document security with read permission of respective users may restrict the malicious users from accessing that collection.

However If you want to show all user profile to all users.. you would need admin privileges i.e. node-appwrite to execute on server or cloud func

k_vasen
8 Jan, 2024, 00:28

If you want to restrict certain attributes to you could use relationships.

ideclon
8 Jan, 2024, 17:28

A listDocuments() would still show all the Documents the user has access to, I think

ideclon
8 Jan, 2024, 17:29

Could you please elaborate on how that would be done?

k_vasen
8 Jan, 2024, 18:39

Let's say Every user details are stored in user documents. Each user docs might have public basic details likes username, theri selling products might have to be public. There is cart for every user. Let's say for some reason I want to include cart details in users document. If I use 1-1 relationship. With cart document using reald specific user permission. We can restrict the general user by giving empty cart details

ideclon
8 Jan, 2024, 18:40

Wouldn't it just fail to load the Document at all? I haven't actually tried this, but that's what I would expect to happen

k_vasen
8 Jan, 2024, 18:41

{username: "vasen", cart: null} this will be for general users.

{username:"vasen", cart: {$id: dhdjdj, products:[]}

k_vasen
8 Jan, 2024, 18:44

It worked for me.. I have given read only permission

ideclon
8 Jan, 2024, 18:57

Huh, ok.

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more