Hello,
I would like to add an ability for two registered users to share some content privately.
I planned to define conversations database collection to be “Private Data” collection, and add some logic at backend to verify the users are permitted to access the data.
However after publishing site I found out that my understanding was incorrect and only Admin user may access the information with Private permissions set (initially I thought backend access to the collection has Admin permissions).
Is there any way to limit access to the collection to only access from backend?
Is there some kind of existing database permissions I’m missing which allows me to give the ability described above?
Hi again,
I have found some explanation on Authorization Suppression when accessing the collection from backend.
Suppression didn’t work when access was defined for “Admin” but worked in case “Site member author” permission initially set (expected?).
Basically seems it may fit my needs, however I would appreciate to know if there is more elegant/correct way to fulfill my requirement.
Hi Dima,
Sorry for the late response, it seems that what you did is the right way.
I’ll check why suppression didn’t work for the Admin role, sound like a bug.
Hi Tomer,
Thank you for reply. Looking forward to some update regarding Admin role issue I saw. It will allow me to ‘lock’ the collections for backend use only as I planned.
Thanks,
Dima
Tomer,
I would like to share with you more findings on suppression issue I have:
I see that ‘create’ permission suppression looks working correctly - I set Admin permissions on collection’s ‘create’ and adding options as following:
let options = {
“suppressAuth”: true,
“suppressHooks”: false
};
As result record is added by logged-in user as expected.
Issue is observed while querying collection with wixData.query:
I set read access to ‘Admin’ and adding options above to ‘query’. I get the following error:
The current user does not have permissions to read on the test_collection collection.
I set read access to ‘Site member Author’ with same suppress options. I see that query succeeds, however it doesn’t fetch items which fit the query but were created by other users (in particular by Admin)
I set ‘Site member’ role - suppression works correctly, all relevant items fetched
I set ‘Anyone’ (however in this case suppression looks meaningless) - all relevant items fetched as expected.
Hopefully it will help Wix team to solve the observed issues
BTW, I see that updating collection permissions will be reflected on Published site only after I press ‘Publish’, even if I didn’t make any other changes in code. Is it expected behavior? Some other way to update access permissions without Publishing site (to avoid undesired code update but only update collections permissions)
thank you for your report. We will investigate database permission issue.
You are correct to observe, that permissions get propagated on site publish. Currently, there is no other way to set permissions on a public site. As a workaround you could get back in history to the published site change permissions, publish the site and then get back to the latest version you were editing.
thanks for providing a code snippet. The bug lies in the way you are passing options to the query you are making with wixData.
You should not pass options object to wixData.query function. Options object should be passed to find function .
