initial commit
This commit is contained in:
@@ -0,0 +1,39 @@
|
||||
/// <reference path="../pb_data/types.d.ts" />
|
||||
//
|
||||
// M13 — API rules for the users collection.
|
||||
//
|
||||
// Previously the users collection had no migration-applied rules (see M4
|
||||
// comment at line 14-15). Without list/view rules, any authenticated user
|
||||
// could enumerate all accounts including shop owner emails and display
|
||||
// names.
|
||||
//
|
||||
// This migration restricts users to seeing only their own record:
|
||||
// listRule = 'id = @request.auth.id'
|
||||
// viewRule = 'id = @request.auth.id'
|
||||
//
|
||||
// Create, Update, and Delete rules remain as default (admin-only) —
|
||||
// self-registration is handled by the frontend signup flow, and profile
|
||||
// updates use the PB auth endpoints or admin UI.
|
||||
|
||||
migrate(
|
||||
(db) => {
|
||||
const col = db.findCollectionByNameOrId('users');
|
||||
if (!col) {
|
||||
console.warn('[M13] users collection not found — skipping');
|
||||
return;
|
||||
}
|
||||
|
||||
col.listRule = 'id = @request.auth.id';
|
||||
col.viewRule = 'id = @request.auth.id';
|
||||
db.save(col);
|
||||
console.log('[M13] applied user-scoped rules to users collection');
|
||||
},
|
||||
(db) => {
|
||||
// On rollback: clear the rules back to empty (fallback to admin-only access).
|
||||
const col = db.findCollectionByNameOrId('users');
|
||||
if (!col) return;
|
||||
col.listRule = '';
|
||||
col.viewRule = '';
|
||||
db.save(col);
|
||||
}
|
||||
);
|
||||
Reference in New Issue
Block a user