feat(ldapSync.tables): modifed api rules

since users can be listed via a special view nobody but themself should be able to view their whole profile
This commit is contained in:
Valentin Kolb 2024-03-28 14:32:33 +01:00
parent ab44afa000
commit 696fa4cf2e
1 changed files with 2 additions and 2 deletions

View File

@ -116,8 +116,8 @@ func createLDAPUsersTable(app *pocketbase.PocketBase) error {
form := forms.NewCollectionUpsert(app, collection)
form.Name = ldapUsersTableName // collection name
form.Type = models.CollectionTypeAuth // collection type set to auth, otherwise login will not work
form.ListRule = types.Pointer("@request.auth.id != ''") // list rule (only authenticated users can list)
form.ViewRule = types.Pointer("@request.auth.id != ''") // view rule (only authenticated users can view)
form.ListRule = types.Pointer("@request.auth.id != id") // list rule (only user self can list their own data
form.ViewRule = types.Pointer("@request.auth.id != id") // view rule (only user self can view their own data)
form.CreateRule = nil // create rule (anyone can create)
form.UpdateRule = nil // update rule (anyone can update)
form.DeleteRule = nil // delete rule (anyone can delete)