Configure Security to allow update of entries only for some users but allow read for all in Backand

Question

Is it possible to configure the security of a table that only some users (the owners) of an entry in a database table are allowed to modify the entry?

For example in a notes ap each note is assigned to a list of users who own this note. All users should be able to see all notes but only the owners of this node shoud be able to edit/delete this note entry.

I only found a solution to filter who can see the note but not who can edit the note.

Answer 1

You will need to create an Action for that. Go to the Actions table. Select the During Update event. Here is an example taken from https://github.com/backand/todos-with-users

// if the current user has an *Admin* role then he is allowed to update a todo for other users
  if (userProfile.role == "Admin")
    return {};

  if (!dbRow.created_by)
      throw new Error('Todo with no creator can\'t be updated.');

  // do not allow users to change the created by field 
  if (dbRow.created_by !=  userInput.created_by)
      throw new Error('You can\'t change the creator of the todo.');

  // do not allow non *Admin* users to change the creator of the todo 
  if (dbRow.created_by != userProfile.userId)
      throw new Error('You can only update your own todo.');
  return {};