Appwrite
Dynamic request validations / permissions? #3705
-
|
Maybe this was already discussed in other threads already, I've seen a couple of validation / permission based discussions here but could not find a satisfactory answer. Also checked the docs but only found webhooks which don't seem the same. So I'd like to create a server-side logic which can e.g. stop a malicious / buggy client creating 1000s of documents, so maybe allow her/him create max 2 docs in a collection, or reject a document create request based on the contents of the to-be-created document, team, whatever. So my question is what about a per-project server-based script (function?) which all or some selected type of client requests are routed through and with the help of it one would be able to check all params / contents of that request on-the-fly i.e. making a dynamic decision whether the operation in question should be allowed or rejected. Of course this could be implemented above the current permission system, I think this approach would add a huge benefit over current static permissions also quota etc. based decisions could be carried out easily. My biggest concern currently is that an "evil" / buggy client is able to create even thousands-millions of documents without limits, while it is permitted to write into a collection but nothing stops it doing so. Of course this may cause some overhead (especially when the database itself must be read to make the decision) but maybe it's worth thinking about it. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@mbazs, thanks for your question! This is best handled by not allowing write access to the collection and making use of an Appwrite function to create the document. For example, in my project, instead of letting users create documents in the comments collection directly, I have this Appwrite function that does some validation before creating the document. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @stnguyen90 ! Seems easy! This should do the trick. I was thinking of a more general "request-filter" solution however I suppose this would be enough. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @stnguyen90 |
Beta Was this translation helpful? Give feedback.
@mbazs, thanks for your question! This is best handled by not allowing write access to the collection and making use of an Appwrite function to create the document. For example, in my project, instead of letting users create documents in the comments collection directly, I have this Appwrite function that does some validation before creating the document.