User class write access

Hello all,

I am very confused.

I am trying to secure my User class in my Moralis server. However, I am unsure as to what class level permissions should be set for the User class.

I have been looking in the forums and docs and, I cannot find a solution to my issue. My problem is that I want no public access to my User class, so that it is secure right?. With that, I have set the class level permissions for the User class to r/w/create field only for Authenticated. However, I have noticed that no more users may authenticate in my client.

So how am I meant to have authentication in my client side, while the User class is blocking public access?

I have tried checking and unchecking the client class creation in server settings to no avail.

Clearly I am misunderstanding database security here and, I would appreciate anyone to break my misunderstanding, as well as solve my issue.

Thanks, Archie

You don’t have to do anything to user class most of the time, every row will have an ACL specific to current user and only current user will be able to read data form that row

Hi,

Yes that makes sense. Thanks for helping me understand ACLs better, despite the documentation on it. My bad.

Have a great day.

1 Like

About this, I noticed that the user also has “Write Access” to their own row. Are they able to edit the “createdAt” field or is it protected with a beforeSave or something similar?

there are some fields that are protected from what user can update, you can also use beforeSave if you want

1 Like