C
C#2w ago
Zoli

Determining Feed Ownership for Edit/Delete Functionality in a client application

In a feed-based .NET MAUI application with authenticated users, how should ownership of feeds be identified to allow editing and deletion? 1. Should feeds be fetched in two separate requests (one for the logged-in user's feeds and another for all other feeds), then merged client-side with a flag (e.g., Mine = true) to indicate ownership? 2. Alternatively, should all feeds include their ownerId, enabling the client to identify ownership based on the logged-in user's ownerId? Is it secure and appropriate to expose ownerId values to the client in this approach? 3. Fetch feeds with a single API call, but let the server mark ownership before sending the response (e.g., include an isEditable or isOwned property). This combines the best of both?
2 Replies
Rory
Rory2w ago
3 sounds the most natural to me. If the user is authenticated with the server, let the server figure out what they have access to and can see based on identity (not request), then enrich the response in a way that the client can use to indicate "yours". Even if all feeds are public and non-sensitive today, having the server control that seems apt and means you don't need to rework the client should you want to change it. Also the logic for "Can I edit this" doesn't live on both client and server - the server is going to explicitly tell the client. Again, if it changes, no client update. If you do option 2, you'd have to align logic if it ever goes beyond "is owned by me" I guess on that latter point being specific e.g "canedit" "candelete" makes more sense than just "isowned" but might be overkill
Zoli
ZoliOP2w ago
Thank you for the input!. Ovbiously on the server side i still need to validate the incoming edit/delete request for particular feedItem (does the authenticated user own the target feed item).

Did you find this page helpful?