How to Ensure a User Can Only Access, Add, and Delete Their Own Favorites in Appwrite

Hi everyone,

I'm building an app using Appwrite, and I'm working on a feature where users can store their favorite items in a "Favorites" collection. Each favorite entry has fields like userId and itemId, and I've set up user authentication so that users can log in.

My goal is to ensure that each user can only view, add, or delete their own favorites and cannot access or modify the favorites of other users. I understand that Appwrite has a permissions system, but I'm not entirely sure how to configure it in a way that restricts access to the favorites collection based on the userId field.

Does anyone have any experience or advice on how to implement this? I’ve looked into Appwrite's permissions for documents, but I’m struggling with how to securely link each user to their own favorites and prevent them from accessing others' data.

Any guidance on setting up the correct permissions or best practices for this scenario would be greatly appreciated!

Thanks in advance!

On the favorites collection toggle on document level permissions. Now when creating a document add these permissions.

await databases.createDocument(
    '<DATABASE_ID>',
    '<COLLECTION_ID>',
    {
      foo: "bar"
    },
    [
Permission.read(Role.user(currentUserId)),
Permission.write(Role.user(currentUserId)),
    ]
);

https://appwrite.io/docs/advanced/platform/permissions#permission-types https://appwrite.io/docs/products/databases/permissions#document-level