Hello,
I’m taking a look at the chat app example. And we were wondering about the security.
I see that a logged user has permission to write to the partitions “conversation=x” of which he’s a member.
Doesn’t this mean that that user can change all the chat info documents that are part of this conversation as they’re in that partition? That he can delete chat messages, even if another user made it. Or has permission to change the text field of other peoples chat messages.
We seem to be missing some more fine grained security. For example: only be able to change/view some fields of a document. Or only be allowed to create a new chat object, not change or delete it.
Regards,