/// // // M13 — API rules for the users collection. // // Previously the users collection had no migration-applied rules (see M4 // comment at line 14-15). Without list/view rules, any authenticated user // could enumerate all accounts including shop owner emails and display // names. // // This migration restricts users to seeing only their own record: // listRule = 'id = @request.auth.id' // viewRule = 'id = @request.auth.id' // // Create, Update, and Delete rules remain as default (admin-only) — // self-registration is handled by the frontend signup flow, and profile // updates use the PB auth endpoints or admin UI. migrate( (db) => { const col = db.findCollectionByNameOrId('users'); if (!col) { console.warn('[M13] users collection not found — skipping'); return; } col.listRule = 'id = @request.auth.id'; col.viewRule = 'id = @request.auth.id'; db.save(col); console.log('[M13] applied user-scoped rules to users collection'); }, (db) => { // On rollback: clear the rules back to empty (fallback to admin-only access). const col = db.findCollectionByNameOrId('users'); if (!col) return; col.listRule = ''; col.viewRule = ''; db.save(col); } );