Start a new topic

Architecture for data collaboration and security

I've been having some problems trying to figure out how to structure my data and permissions and it seems that what is available in Kinvey's built in access control is not going to be usable for what I am trying to accomplish, but it's possible that I am just not understanding how to best use it. I'm looking for advice on how to achieve the following scenario:





"trips" Data Store Collection

"photos" -> One to Many Relationship to "photos" collection

"private" -> True/False

"owner" -> One to One Relationship to "user" collection

"collaborators" -> One to Many Relationship to "user" collection



"photos" Data Store Collection

"private" -> True/False

"owner" -> One to One Relationship to "user" collection



"user" Collection

"followers" - Array of followers relationships

"user" -> One to One Relationship to "user" collection

"private" -> True/False

"following" - Array of following relationships

"user" -> One to One Relationship to "user" collection

"private" -> True/False



All collections are set to "Private" Meaing Readable/Writable only by the owner of the model



The first constraint is that some trips and photos can always be viewed by the owner and can only be viewed by everyone else if private is set to false or someone is following the owner and they have been granted private permissions. I have solved this simply by abstracting the query into a custom endpoint and parsing the permissions from the user collection with followers, and following.



The second constraint is that I need to have the ability for the owner of the "trip" to add collaborators to a trip. This simply means that they can add/edit a photo model to the "photos" collection attached to a "trip". Where this becomes troublesome is when I also want the owner of the trip to be able to edit and delete photos that have been added/collaborated to their own trip. Also determining whether this user has permissions to add this photo to the trip seems difficult. If there are any ideas around architecting a collaborative approach inside of Kinvey/Mongo, I would love to hear them. If I can use Kinvey's ACL approach that would obviously be great as well.



The third issue I'm encountering is that I have a before-save collection hook on the "trip" collection that does a bit of calculations based on photos that are attached. Is there a way to trigger logic like this from another source besides saving the "trip" model. This would be to allow someone to add a photo, but because they don't have permissions to edit the trip, they wouldn't be able to save the trip, hence not triggering the before-save collection hook.



Again, any advice is greatly appreciated. Please let me know if I can be more descriptive in anything I've mentioned here or if anything was unclear.



Thank you,

Patrick


Testing formatting data:



"trips" Data Store Collection

"photos" -> One to Many Relationship to "photos" collection

"private" -> True/False

"owner" -> One to One Relationship to "user" collection

"collaborators" -> One to Many Relationship to "user" collection



"photos" Data Store Collection

"private" -> True/False

"owner" -> One to One Relationship to "user" collection



"user" Collection

"followers" - Array of followers relationships

"user" -> One to One Relationship to "user" collection

"private" -> True/False

"following" - Array of following relationships

"user" -> One to One Relationship to "user" collection

"private" -> True/False
I can't edit my question, so the formatted text is added as an answer
Hey Patrick- This is a great question and has inspired us to write an article that addresses the topic. Once it's out I'll post here.
I have a very similar question about modeling collaborators. Specifically, I'm wondering how to grant a user access to an individual entity in a collection.



The _acl reads:

{"creator":"5329a4a8403f26fb02068da0"}



But I'm not sure how to use the Angular API to update it. There is a mention of User Groups which seems ideal, but there's no Angular adapter for that? Some guidance would be awesome!
Dave, to address just your question, the documentation at http://devcenter.kinvey.com/angular/guides/security#ReaderWriterLists should address what you're trying to do. You should be able to use the acl.addReader and acl.addWriter to add collaborators.
Login or Signup to post a comment