Flexible sync security

Hi,

So I was reading the flexible sync permissions guide and in the Tiered Privileges I was wondering how you would stop users from inserting documents for other teams.

In the Tiered Privileges section there’s an admin and user role. The admin can read/write to the team they belong to, while the user role can only write to what they own and read from the team they belong to.

[
   {
     "name": "admin",
     "apply_when": {
       "%%user.custom_data.isTeamAdmin": true
     },
     "document_filter": {
       "read": {
         "team": "%%user.custom_data.team"
       },
       "write": {
         "team": "%%user.custom_data.team"
       }
     },
     "read": true,
     "write": true
   },
   {
     "name": "user",
     "apply_when": {},
     "document_filters": {
       "read": {
         "team": "%%user.custom_data.team"
       },
       "write": {
         "owner_id": "%%user.id"
       }
     },
     "read": true,
     "write": true
   }
]

My question is what stops a user role from updating the document to have a team they do not belong to?

i.e
The doc has

{
  owner_id: 1,
  team: "A"
}

If the user has owner_id:1 and belongs to team A what stops them from updating the team field in the doc from “A” to “B”? I guess you can have field level permissions so that the user role can’t update the Team field but then how does it get set to Team: “A” in the first place?

Thanks,

Hi @Tam_Nguyen1,

Flexible sync prevents you from writing what you cannot read, so in this case the document_filters.read would prevent a user from writing to a document with a team that does not match the one in their custom user data. It would not, however, prevent a user from moving a document out of their team with that scheme. If you wanted to enforce that, you could add an additional predicate to the document_filters.write:

{
  "write": {
    "$and": [
      { "owner_id": "%%user.id" },
      { "team": "%%user.custom_data.team" }
    ]
  }
}
1 Like

Makes sense to me! Thanks.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.