2

On my parse based application, each user will have a list of notes that are private to him by default. The user will be able to invite other users (identified by their email address) to view the notes.

I want to use ACL for that, but was wondering what should I do if the invited user is not registered yet as a Parse user on invitation. In that case, the notes creator user cannot add him to the note's ACL since there is no ParseUser object yet.

What is the best solution for this type of invitation?

Can I use ACL for this or do I have to manage the access myself?

Ran
  • 1,089
  • 1
  • 12
  • 30

3 Answers3

1

If you're familiar with Parse technology called Cloud Code then you should check this https://gist.github.com/mikevansnell/5140654

This code creates future user from the email passed to the function and asign it with some random password. And then an invitation email is send to the passed email with all the info, including password. And when the invited user goes to the app just fill the logi

Klemen
  • 2,144
  • 2
  • 23
  • 31
  • Can you call cloud code from outside your iOS app. For example i want the details entered into a form on aweber.com to then call the cloud code to create a user or just an object. – DogCoffee Mar 13 '15 at 14:59
  • I dont know if you'll have ability to create user, but you can definitely create all other objects. User objects have some restrictons for creation, just try it or read about it in parse documentation. – Klemen Apr 15 '15 at 11:15
0

These are two options I can think of.

1) Use ACL

Modify the note's ACL so that it has read access by the users invited that are already registered. Any users that are not registered, get a new row containing the email and note id in a separate table called NewUserAccess. Whenever a user is created, query NewUserAccess for rows with the registering email. Update those notes with the newly created user's objectId.

2) Manage Access Yourself

The second option is just creating a table called UserAccess. With this, when you invite a user you create a row with their email and the note they have access to. This would cause problems if the user changed emails which would require additional work.

Dehli
  • 5,950
  • 5
  • 29
  • 44
  • Regarding option 1, isn't it a problem to change the note's ACL when the user that is logged in is not the owner of the object? – Ran Sep 10 '14 at 19:12
  • If you do it in Cloud Code, you can use: [`Parse.Cloud.useMasterKey();`](https://parse.com/docs/js/symbols/Parse.Cloud.html#.useMasterKey) – Dehli Sep 10 '14 at 19:15
0

If you want to use ACL in order to control user access to classes, objects

just create a new _Role='registered_user' in the parse built in class "role" .

and when user xyz registers, add them to role 'registered_user'

in the ACL of the classes where you want to restrict READ to the role, use the following: 

"ACL":{"registered_user":{"read":true}}

Explicitly setting READ permissions in ACL instead of just wildcarding it using "*" will lock down the access to members of "registered_user" Role.

Its just like groups in the file system.

Robert Rowntree
  • 6,230
  • 2
  • 24
  • 43
  • I guess if I use roles, I will have to create a role for every note since the user can invite different users for different notes he had created.. – Ran Sep 10 '14 at 19:11