ACL as a pointer? (toggle private/public data)

Hey there,

I would like to know if it’s possible to assign an ACL has a Pointer. (Or if there is a better way to achieve what I’m trying to do)

I got a Posts table and a Users table.
Each post belongs to an user. A user can have multiple posts.

I want to give the user the option to hide all his posts.

If the user has 1000 posts, changing the ACL “PublicRead” to false is costly in terms of resources, because we have to update 1000 rows.
However, if I could define all those posts ACL to a pointer in the user table, I could just update 1 row instead.

Thanks in advance

I think the best approach would be to assign a role to each of the posts and then you can just change the Role ACL in one place and all the Posts will respect the ACL of the Role that they have assigned to them.

1 Like

That way I need to have 1 role per user. 1 million roles is kinda messy no?

I must admit I have a similar issue - see here for my initial post: Suggested strategy for sharing objects between users

My approach at the moment is to change the ACL on all the user’s objects (i.e. posts in your use case), which is not ideal as I have the same problem that you had identified, updating 1000 objects is a pain!

1 Like

Sounds like a pointer ACL could do wonders, not sure how hard it would be to implement it tho

Pretty difficult I expect, ACLs seem (to me) to be interwoven into the fabric of Parse.

It would be great to hear what @davimacedo has to say about it.

1 Like

Parse Server has pointer permission (REST API Guide | Parse) which is helpful but I don’t think it would cover your use-case, because, as long as I understood, you want a flag to hide/unhide the posts. In this case, I’d either go with a Role per user or a beforeFind trigger.

1 Like

Thanks for the reply!

Role approach:
Wouldn’t 1million roles (if 1 million users) be a bad idea? Couldn’t it cause performance issues?

beforeFind approach:
If posts are set to public, then I let users read it, if private, I throw. How should I setup the ACL tho? Still PublicRead(true)? I want to make sure beforeFind will prevent everyone from reading it if private.
Is there anything else I should be concerned about to make sure the posts can’t be read by anyone else but the user when posts should be private?

Thanks in advance!

A different angle: Make the option to hide all posts an async cloud function/job and show the user a message “posts will be hidden within the next minutes”.

Yea I rather not waste resources like that but thanks!
Also that’s exactly what I’m trying not to do

  • 1 million roles shouldn’t be a problem in my point of view
  • for beforeFind, you would leave ACL always public and filter hidden posts out using the trigger
  • A third idea could be everything private via CLP and always read the posts via a cloud code function that would create the query according with the hidden/unhidden flag.

I had a similar issue and I solved it with the cloud code. In this case is much easier e much more customizable. ACL are good for other simpler use cases.