I have a collection of entries, which should be private per user. When a sharing request is accepted, I would like to make all entries in this collection from one user visible to another specified user.



The only way I know of doing this right now is setting every entity's properties separately (which seems like it could mean a performance hit) or by customizing the fetch endpoint (which seems like it has security risks associated -- i.e. users can still get data using COUNT requests). I've already implemented the latter.



Note: I would like to make this change on the server-side (i.e. from a hook or endpoint), so that our clients don't have to implement this functionality.

This tutorial is what I followed, but it is not very good security-wise because it still allows COUNT requests.

http://devcenter.kinvey.com/android/guides/business-logic#Denyingaccesstoauser

Seems like this is what I want, and it looks like there may already be an API in android for it.

http://devcenter.kinvey.com/rest/guides/users#usergroups



Where is the documentation for Android?

Hey James, I think you are on the right track. If you use ACL's instead of restricting through BL, then _count would respect that. The best way to do that is via the REST API. I put up a post about usergroups and permissions here, which may help: https://support.kinvey.com/discussion/comment/201904552

Hi James,



It does sound like groups provide the functionality you are looking for. Currently, while adding groups to entity ACLs is supported through the client libraries, group creation and modification is only provided through the REST API.

Do you have an example of using the REST API in Business Logic? I need to create a group whenever a user is created and add someone to a group during a custom endpoint.