Hey Ian, thanks for following up. Our real world use case is for meeting up with people in person through events so we need to be very careful with what data we expose to the client given that we don’t want to allow strangers to be able to see other people’s location. Although if you’re someone’s friend you can see if they are nearby.
What we currently do is have a users collection, and then when we want to fetch which users are in an event, we currently have an an API which checks if they are friends or not. If they are not friends, we only return their name, user id, and phone hash. Whereas if they are friends, we return those fields, their current location, and a couple of other secure fields.
We want to start using Device sync so we can have more real-time data as opposed to using our APIs, and also that would remove the amount of code we’d have to manage. However if we just have to end up duplicating and manage that data to work with sync then the trade off doesn’t make too much sense for us.
I set up a ‘contacts’ array in the users custom_data and in my real world example there are:
- 10 people going to the event
- 1 of those people are my friend and are listed in my custom_data field.
What I’d like to happen is when I run the query that is on the user collection I only get the location field back for that one user.
As only one rule can be picked per session per collection, having field level permissions using an expression seems to be a way this would work perfect for our use case. Given that technically everyone can read the document, but only some can read set fields.
I hope that gives you a bit more context on what we are trying to achieve and why. Obviously there are hacky ways around it but the above solution I think would be our perfect use case.