I want to prevent people from updating other scores on a leaderboard, but that doesn't seem possible

Since Manifest's Auth is RBAC, and since the IDs used for updating entities increments by 1, then doesn't that mean since a user can update their own score, then they can update everyone's score because they can guess the id by incrementing/decrementing their own ID?

Joe Beretta•12/7/24, 9:49 AM

Hi @Shant Tokatyan I’ve asked the same question and got the answer here Access policies: How to allow update/delete entity only for it’s owner?

Shant TokatyanOP•12/7/24, 3:14 PM

Hi, the one difference is that I am okay with non owners being able to update a row -- I just want to use an ID that is not incremented so that it is harder to guess a row.

Shant TokatyanOP•12/7/24, 3:16 PM

If an ID is incremented, then everyone has access to (and can find) every row, but at least if a row can be made so that it is only fetched by a certain field, e.g a uuid, then the uuid will be much harder to for people to guess.

SShant Tokatyan Hi, the one difference is that I am okay with non owners being able to update a ...

Joe Beretta•12/8/24, 6:16 AM

Hi, I didn’t searched about ID prop type changing, can’t help u right now about this

SShant Tokatyan If an ID is incremented, then everyone has access to (and can find) every row, b...

Joe Beretta•12/8/24, 6:18 AM

Anyway even if ID is integer, I think ypu have to implement the more complex acl rules on your side until it will become as out of box solution in the manifest (maybe it won’t)

Shant TokatyanOP•12/8/24, 7:18 AM

Yup, I ended up not using manifest and making my own backend instead. I look forward to using manifest one day though

SShant Tokatyan Yup, I ended up not using manifest and making my own backend instead. I look fo...

Joe Beretta•12/8/24, 3:03 PM

By the way - u r able to connect manifest to your backend
I'd rather do the business logic on own side and pass "dirty job" to manifest to keep some time

See this part https://manifest.build/docs/rest-api

REST API | Manifest Docs

An alternative to the JS SDK to connect to your backend is through the REST API.

brunobuddy•12/9/24, 12:04 PM

@Shant Tokatyan you took the correct decision as there is no easy way to do it with Manifest yet. However we will focus on implementing custom logic in Manifest really soon. Good luck

Bbrunobuddy @Shant Tokatyan you took the correct decision as there is no easy way to do it w...

Shant TokatyanOP•12/10/24, 5:59 AM

Thank you, I’m rooting for Manifest! Look forward to custom logic

brunobuddy•12/11/24, 7:22 AM

I will let you know when it's done. Probably next month !