I would like to know if it’s possible to assign an ACL has a Pointer. (Or if there is a better way to achieve what I’m trying to do)
Context:
I got a Posts table and a Users table.
Each post belongs to an user. A user can have multiple posts.
I want to give the user the option to hide all his posts.
Problem:
If the user has 1000 posts, changing the ACL “PublicRead” to false is costly in terms of resources, because we have to update 1000 rows.
However, if I could define all those posts ACL to a pointer in the user table, I could just update 1 row instead.
I think the best approach would be to assign a role to each of the posts and then you can just change the Role ACL in one place and all the Posts will respect the ACL of the Role that they have assigned to them.
My approach at the moment is to change the ACL on all the user’s objects (i.e. posts in your use case), which is not ideal as I have the same problem that you had identified, updating 1000 objects is a pain!
Parse Server has pointer permission (REST API Guide | Parse) which is helpful but I don’t think it would cover your use-case, because, as long as I understood, you want a flag to hide/unhide the posts. In this case, I’d either go with a Role per user or a beforeFind trigger.
Role approach:
Wouldn’t 1million roles (if 1 million users) be a bad idea? Couldn’t it cause performance issues?
beforeFind approach:
If posts are set to public, then I let users read it, if private, I throw. How should I setup the ACL tho? Still PublicRead(true)? I want to make sure beforeFind will prevent everyone from reading it if private.
Is there anything else I should be concerned about to make sure the posts can’t be read by anyone else but the user when posts should be private?
A different angle: Make the option to hide all posts an async cloud function/job and show the user a message “posts will be hidden within the next minutes”.
1 million roles shouldn’t be a problem in my point of view
for beforeFind, you would leave ACL always public and filter hidden posts out using the trigger
A third idea could be everything private via CLP and always read the posts via a cloud code function that would create the query according with the hidden/unhidden flag.
I had a similar issue and I solved it with the cloud code. In this case is much easier e much more customizable. ACL are good for other simpler use cases.