40 lines
1.3 KiB
JavaScript
40 lines
1.3 KiB
JavaScript
/// <reference path="../pb_data/types.d.ts" />
|
|
//
|
|
// M13 — API rules for the users collection.
|
|
//
|
|
// Previously the users collection had no migration-applied rules (see M4
|
|
// comment at line 14-15). Without list/view rules, any authenticated user
|
|
// could enumerate all accounts including shop owner emails and display
|
|
// names.
|
|
//
|
|
// This migration restricts users to seeing only their own record:
|
|
// listRule = 'id = @request.auth.id'
|
|
// viewRule = 'id = @request.auth.id'
|
|
//
|
|
// Create, Update, and Delete rules remain as default (admin-only) —
|
|
// self-registration is handled by the frontend signup flow, and profile
|
|
// updates use the PB auth endpoints or admin UI.
|
|
|
|
migrate(
|
|
(db) => {
|
|
const col = db.findCollectionByNameOrId('users');
|
|
if (!col) {
|
|
console.warn('[M13] users collection not found — skipping');
|
|
return;
|
|
}
|
|
|
|
col.listRule = 'id = @request.auth.id';
|
|
col.viewRule = 'id = @request.auth.id';
|
|
db.save(col);
|
|
console.log('[M13] applied user-scoped rules to users collection');
|
|
},
|
|
(db) => {
|
|
// On rollback: clear the rules back to empty (fallback to admin-only access).
|
|
const col = db.findCollectionByNameOrId('users');
|
|
if (!col) return;
|
|
col.listRule = '';
|
|
col.viewRule = '';
|
|
db.save(col);
|
|
}
|
|
);
|