Is this a security problem?

[anim8rDev]

I am new to Pocketbase and I'm trying to wrap my head around API rules. I'm wondering if what I'm doing is a bad idea for security reasons. Hopefully, one of you can shed some light on this. Note.. I am using SvelteKit...

I have a field called "clients" in my users collection. I'd like to be able to update the clients field in a +page.server.js file, and the update would not necessarily come from an authenticated user. However, I'm not sure if this would cause a vulnerability where someone could maliciously update a field in users that I'd rather only the id = @request.auth.id.

Is there a way to do this? Can I somehow set the API update rule to allow the clients field to be updated by everyone, without opening myself up to a vulnerability? Or would I be better off creating a new collection with the update API rule blank with a relation to users collection?

Thank you.

[ganigeorgiev]

I don't understand the described requirements and what is the desired behavior.

What is the purpose of the "clients" field and how it is related to the users collection?

What do you mean by "the update would not necessarily come from an authenticated user"? Should guests/unauthorized clients be able to change the value of this field for any user?

[anim8rDev]

Sorry for not being more clear. I'm not sure this is better. :o

1. The users have a field called "clients". When an authenticated user logs in, there is a real-time connection to this clients field so that the authenticated user is notified when the value changes.
2. A non-authenticated user ("a client") can come to the website and if they know an authenticated user, they can enter their name via a form that will entered into the authenticated users "clients" field.
3. The point is that I don't want a client to have to be authenticated.

if I understand correctly, I would need the users API rule for update to be blank so that the unauthenticated visitor can put their name in the users "clients". The question is. By doing this, am I introducing a security issue because a bad actor could somehow update something other than "clients"?

I've already begun making a new collection that anyone can update, so that I can lockdown the users update API rule with an id = @request.auth.id. I'm assuming this is the better way to go. ...?

Thanks

[ganigeorgiev]

In this case - Yes, it would be better to have a separate collection with its own API rules.

Technically it is possible to restrict the update to only of a single field, but it'll be difficult and error prone since you'll have to blacklist/disallow the submission of all other user fields manually, something like:

id = @request.auth.id || (
   @request.data.username:isset = false &&
   @request.data.avatar:isset = false &&
   ... list all fields except "clients"
)

[anim8rDev]

Thank you!