ACL as a pointer? (toggle private/public data)

pwnedev · May 12, 2022, 7:56pm

Hey there,

I would like to know if it’s possible to assign an ACL has a Pointer. (Or if there is a better way to achieve what I’m trying to do)

Context:
I got a Posts table and a Users table.
Each post belongs to an user. A user can have multiple posts.

I want to give the user the option to hide all his posts.

Problem:
If the user has 1000 posts, changing the ACL “PublicRead” to false is costly in terms of resources, because we have to update 1000 rows.
However, if I could define all those posts ACL to a pointer in the user table, I could just update 1 row instead.

Thanks in advance

tayloruk · May 14, 2022, 7:50pm

I think the best approach would be to assign a role to each of the posts and then you can just change the Role ACL in one place and all the Posts will respect the ACL of the Role that they have assigned to them.

pwnedev · May 14, 2022, 7:51pm

That way I need to have 1 role per user. 1 million roles is kinda messy no?

tayloruk · May 14, 2022, 7:55pm

I must admit I have a similar issue - see here for my initial post: Suggested strategy for sharing objects between users

My approach at the moment is to change the ACL on all the user’s objects (i.e. posts in your use case), which is not ideal as I have the same problem that you had identified, updating 1000 objects is a pain!

pwnedev · May 14, 2022, 8:00pm

Sounds like a pointer ACL could do wonders, not sure how hard it would be to implement it tho

tayloruk · May 14, 2022, 8:07pm

Pretty difficult I expect, ACLs seem (to me) to be interwoven into the fabric of Parse.

It would be great to hear what @davimacedo has to say about it.

davimacedo · May 17, 2022, 2:13pm

Parse Server has pointer permission (REST API Guide | Parse) which is helpful but I don’t think it would cover your use-case, because, as long as I understood, you want a flag to hide/unhide the posts. In this case, I’d either go with a Role per user or a beforeFind trigger.

pwnedev · May 17, 2022, 7:17pm

Thanks for the reply!

Role approach:
Wouldn’t 1million roles (if 1 million users) be a bad idea? Couldn’t it cause performance issues?

beforeFind approach:
If posts are set to public, then I let users read it, if private, I throw. How should I setup the ACL tho? Still PublicRead(true)? I want to make sure beforeFind will prevent everyone from reading it if private.
Is there anything else I should be concerned about to make sure the posts can’t be read by anyone else but the user when posts should be private?

Thanks in advance!

Frank500 · May 18, 2022, 7:59am

A different angle: Make the option to hide all posts an async cloud function/job and show the user a message “posts will be hidden within the next minutes”.

pwnedev · May 18, 2022, 12:03pm

Yea I rather not waste resources like that but thanks!
Also that’s exactly what I’m trying not to do

davimacedo · May 18, 2022, 3:41pm

1 million roles shouldn’t be a problem in my point of view
for beforeFind, you would leave ACL always public and filter hidden posts out using the trigger
A third idea could be everything private via CLP and always read the posts via a cloud code function that would create the query according with the hidden/unhidden flag.

simoyw · May 20, 2022, 8:46am

I had a similar issue and I solved it with the cloud code. In this case is much easier e much more customizable. ACL are good for other simpler use cases.