Hello,

I was reading http://devcenter.kinvey.com/html5/guides/security

In the Use Case section, we have

"If you have collections that only hold entities that the app developer or administrator can create or modify, such as a daily deal, or a blog post, you would want to set the access level to Read Only. This allows read access to user credentials, and write access only to the app developer using the master secret.

"

However, master secret is very powerful, what if there is a concept of collection owner and corresponding key, so that even if that got hacked, the best they can do is post some bad deals or delete all our blogs, instead of getting all of our user data.

Or is there an existing workaround to achieve similar effect? I'm all ears.

Thank you very much!

--Gordon

Hi Gordon,

Kinvey doesn't have such a feature/concept of collection owners and corresponding keys.

And master secret is not supposed to be used inside mobile/web apps. Master secret should be used either in BL or through the console, which minimizes the risk of master secret getting hacked. Also, you always have the option to regenerate master secret via the console if you think it has been somehow compromised.

If you don't want to use master secret for this, there is an alternative way to do the same thing per collection:

• Keep the collection in shared mode.
• Create a couple of users who will be allowed to create posts.
• As the collection is in shared mode, all logged in users will be able to view all posts.
• Create a onPreSave business logic hook for the collection which will check for the user who created the request and allow only those users which you have created earlier.