Every table in the app is strictly permissioned using pocketbase server side API permissions. These are setup within the pocketbase admin UI.
There is a section in the pocketbase docs outlining how to use them. Since our Schema abstracts user roles to related user tables that share an exact user id, we can leverage this to simplify our permissions.
As an example, lets look at the permissions for appointments, which a member can have many of.
We individually set 5 rules for list, view, create, update, and delete.
Since the user id is the same as a member id, we can set a rule that limits users to only be able to retrieve their appointments by checking if the requesting user’s id is equal to the appointment’s member id:
@request.auth.id = member.id
Because our member’s are managed by their counselor, who can view and create appointments for them, they also need to have access to the members appointments. We add them by checking if the requesting user’s id is equal to the appointment’s member’s counselor:
@request.auth.id = member.counselor
As shown above, permissions in pocketbase can cascade in a way to check related fields from the base table you are writing the permission for. This makes them very powerful and intuitive.
Note
Because the permissions will control the content that is returned from the server, we can use general queries that rely on the permissions.
To get all appointments for a user, we dont need to do a select for that user’s id. We can just get all appointments, and only the ones that that user is allowed to view will be returned.