Hello!
How do I handle this situation
- I have 2 client apps one for consumers and one for creators
- They basically have labels: "consumer" or "creator"
- There's a collection where content is created
- The documents in this collection have document security, so basically the creator can perform CRUD on there on content
- I've added a permission on the content collections which has read permission on "consumer" label, so that all consumers can basically view all creators content.
But let's say a creator decides to login into the consumer app and it gives them the "consumer" label and they log back into the creator app, they'd basically be able to view everyone's content even for other creators, of course they wouldn't be able to do update or delete them, but they'll be able to see other creators content in their editor
How can I solve this?
TL;DR
Two client apps (one for consumers, one for creators) with labels "consumer" or "creator." Content collection has document security - creators can CRUD on their content, consumers can view all creators content. Issue: Creator logging into consumer app gets "consumer" label and can see other creator content in creator app, though can't update/delete.
Solution: Add additional security rules to check that user logged in with matching label before viewing content, preventing creators from viewing other creators content.
