feat(ldapSync.tables): modifed api rules

since users can be listed via a special view nobody but themself should be able to view their whole profile
2024-03-28 14:32:33 +01:00 · 2024-03-28 14:32:33 +01:00 · 696fa4cf2e
parent ab44afa000
commit 696fa4cf2e
1 changed files with 2 additions and 2 deletions
--- a/ldapSync/tables.go
+++ b/ldapSync/tables.go
@ -116,8 +116,8 @@ func createLDAPUsersTable(app *pocketbase.PocketBase) error {
 	form := forms.NewCollectionUpsert(app, collection)
 	form.Name = ldapUsersTableName                          // collection name
 	form.Type = models.CollectionTypeAuth                   // collection type set to auth, otherwise login will not work
-	form.ListRule = types.Pointer("@request.auth.id != ''") // list rule (only authenticated users can list)
+	form.ListRule = types.Pointer("@request.auth.id != id") // list rule (only user self can list their own data
-	form.ViewRule = types.Pointer("@request.auth.id != ''") // view rule (only authenticated users can view)
+	form.ViewRule = types.Pointer("@request.auth.id != id") // view rule (only user self can view their own data)
 	form.CreateRule = nil                                   // create rule (anyone can create)
 	form.UpdateRule = nil                                   // update rule (anyone can update)
 	form.DeleteRule = nil                                   // delete rule (anyone can delete)