I want to prevent people from updating other scores on a leaderboard, but that doesn't seem possible
Since Manifest's Auth is RBAC, and since the IDs used for updating entities increments by 1, then doesn't that mean since a user can update their own score, then they can update everyone's score because they can guess the id by incrementing/decrementing their own ID?
8 Replies
Hi @Shant Tokatyan I’ve asked the same question and got the answer here https://discord.com/channels/1089907785178812499/1308921203850870884/1309427275728424972
Hi, the one difference is that I am okay with non owners being able to update a row -- I just want to use an ID that is not incremented so that it is harder to guess a row.
If an ID is incremented, then everyone has access to (and can find) every row, but at least if a row can be made so that it is only fetched by a certain field, e.g a uuid, then the uuid will be much harder to for people to guess.
Hi, I didn’t searched about ID prop type changing, can’t help u right now about this
Anyway even if ID is integer, I think ypu have to implement the more complex acl rules on your side until it will become as out of box solution in the manifest (maybe it won’t)
Yup, I ended up not using manifest and making my own backend instead. I look forward to using manifest one day though
By the way - u r able to connect manifest to your backend
I'd rather do the business logic on own side and pass "dirty job" to manifest to keep some time
See this part https://manifest.build/docs/rest-api
REST API | Manifest Docs
An alternative to the JS SDK to connect to your backend is through the REST API.
@Shant Tokatyan you took the correct decision as there is no easy way to do it with Manifest yet. However we will focus on implementing custom logic in Manifest really soon. Good luck
Thank you, I’m rooting for Manifest! Look forward to custom logic
I will let you know when it's done. Probably next month !