Skip to content

User ACLs prevent other volunteers from accessing user objects #2

New issue
New issue
Open
Open
User ACLs prevent other volunteers from accessing user objects#2
Assignees
aphexcx
Labels
bugenhancement
@aphexcx

Description

@aphexcx
aphexcx
opened on Jan 10, 2016

From @aphexcx on January 6, 2016 3:42

Currently the ACL (permissions, essentially) for each _User object is too restrictive (only that user may access their own user object.) This means volunteers (other users) can't access those objects.

We could use roles, and Evan and I played around and created a Volunteer Role in Parse. But that seems overengineered for now. Instead, standard ACLs should still be sufficient here:

  • When a donor confirms a volunteer, add that volunteer's ID to the donor's ACL with a READ permission.
  • When a donation is completed (dropped off), remove the volunteer's ID from the donor's ACL.
  • Donor ACLs should always contain only 1 or 2 IDs: their own and a volunteer's ACL, if any.

@brennanMKE @mkulumadzi please review.

Copied from original issue: GiveNow/givenow-android#8

Metadata

Metadata

Assignees

Labels

bugenhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions