Access control
Although usable, access control is still a feature in development and the API is planned to expand from here. More information is on the roadmap (opens in a new tab).
Access control in Triplit occurs at the entity level. Although this is an improvement over membership/room based apis, access control does not extends to individual properties.
Typically a user's id is used to determine access. The user's id is accessible by providing a custom token to Triplit, as explained in the Auth guide.
Access control checks run exclusively on the server, and are not enforced on the client. This means that a user can still read and write to a document they do not have access to, but the server will reject the request.
Access control rules
Rules for access control are defined in the rules property of a schema. Both read and write rules are defined with a unique identifier, an optional description, and a filter. The filter is a filter clause that is appended any query for that collection.
import { Schema as S } from '@triplit/client';
const schema = {
todos: {
schema: S.Schema({
id: S.Id(),
author_id: S.String(),
text: S.String(),
}),
rules: {
read: {
'author-is-user': {
description: 'Users can only post todos they authored',
filter: [['author_id', '=', '$session.SESSION_USER_ID']],
},
},
write: {
'author-is-user': {
description: 'Users can only edit their own todos',
filter: [['author_id', '=', '$session.SESSION_USER_ID']],
},
},
},
},
};$session.SESSION_USER_ID is a special variable injected by Triplit. It is the user id of the user that is authenticated with the current session.