Permissions

Step three: Restricting who can emit events

When using realtime-search we have two different aspects to permission. As a general rule of thumb, lock down your permissions by default and only open up topics instead of vice versa.

  • the rpc

This is the most important part, which gives the you the ability to stop the RPC from ever making it to to the realtime-provider. You also want to make sure only the realtime_search can provide the actual rpc hook so another client doesn’t register it!

  • the record

You want to make sure only the backend can update the list and meta objects, as again a front-end client should not be able to do so.

The permissions

presence:
  "*":
    allow: true
event:
  "*":
    publish: true
    subscribe: true
    listen: true
record:
  "*":
    create: false
    write: false
    read: false
    delete: false
    listen: false
    notify: false
  "user/*":
    create: true
    read: true
    write: true
    delete: true
  "realtime_search/list_*":
    create: true
    write: "user.data.isRealtimeSearch === true"
    read: true
    delete: "user.data.isRealtimeSearch === true"
    listen: "user.data.isRealtimeSearch === true"
  "realtime_search/meta_*":
    create: "user.data.isRealtimeSearch === true"
    write: "user.data.isRealtimeSearch === true"
    read: "user.data.isRealtimeSearch === true"
    delete: "user.data.isRealtimeSearch === true"
rpc:
  "*":
    provide: false
    request: false
  "realtime_search":
    provide: "user.data.isRealtimeSearch === true"
    request: true

1) Announcing new Realtime Search!
2) Prerequisite
3) Setting up the backend
4) Logging in
5) Realtime Search
6) Permissions
7) Summary and extra tasks