From 696fa4cf2e1a3d7c9ea70ab3729cfeecde4658fb Mon Sep 17 00:00:00 2001
From: valentinkolb <valentin.kolb@uni-ulm.de>
Date: Thu, 28 Mar 2024 14:32:33 +0100
Subject: [PATCH] feat(ldapSync.tables): modifed api rules

since users can be listed via a special view nobody but themself should be able to view their whole profile
---
 ldapSync/tables.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldapSync/tables.go b/ldapSync/tables.go
index e4ab007..06e14ad 100644
--- a/ldapSync/tables.go
+++ b/ldapSync/tables.go
@@ -116,8 +116,8 @@ func createLDAPUsersTable(app *pocketbase.PocketBase) error {
 	form := forms.NewCollectionUpsert(app, collection)
 	form.Name = ldapUsersTableName                          // collection name
 	form.Type = models.CollectionTypeAuth                   // collection type set to auth, otherwise login will not work
-	form.ListRule = types.Pointer("@request.auth.id != ''") // list rule (only authenticated users can list)
-	form.ViewRule = types.Pointer("@request.auth.id != ''") // view rule (only authenticated users can view)
+	form.ListRule = types.Pointer("@request.auth.id != id") // list rule (only user self can list their own data
+	form.ViewRule = types.Pointer("@request.auth.id != id") // view rule (only user self can view their own data)
 	form.CreateRule = nil                                   // create rule (anyone can create)
 	form.UpdateRule = nil                                   // update rule (anyone can update)
 	form.DeleteRule = nil                                   // delete rule (anyone can delete)