How to restrict participant control on shared CloudKit CKShare?

I am making an iOS app using CloudKit where a user can make a post with some content (title, images, body, etc.) and I want them to be able to share that content using a CKShare for viewing only and have the participants post comments without the ability to modify the original post or delete it. Not to unlike Instagram, etc. Is this possible? What would the data model look like?


Using the Photos app and its shared albums as a reference, participants can post comments, like posts, etc. but they can also delete images which I'm trying to avoid. I'm looking for a better security model than "just don't put a delete button in the UI".


Ive done this easily with Firebase and their granular ACL controls but don't understand how to do this with CloudKit.

Up vote post of inreflection7 Down vote post of inreflection7
918 views
Posted by
inreflection7
Reply
Add a Comment

Replies

I believe you can accomplish this with two CKShare records. One contains the photo and it has CKShareParticipantPermissionReadOnly. The other contains the comments and it has CKShareParticipantPermissionReadWrite.


see:

https://developer.apple.com/documentation/cloudkit/ckshare/1640494-publicpermission?language=objc

https://developer.apple.com/documentation/cloudkit/ckshareparticipantpermission?language=objc

https://developer.apple.com/documentation/cloudkit/ckshareparticipantpermission/ckshareparticipantpermissionreadonly?language=objc

Posted by
PBK
Up vote reply of PBK Down vote reply of PBK
Add a Comment

Not a bad idea. Does this mean the user has to share two links and participants need to accept two?

Posted by
inreflection7
Up vote reply of inreflection7 Down vote reply of inreflection7
Add a Comment

I am not sure but you might be able to do it with a single share using two records where one is the "parent" of the other. A single share shares the record and its parents (or is it the otherway?). And I don't know if you can have different permissions for a record and its parent.

Posted by
PBK
Up vote reply of PBK Down vote reply of PBK
Add a Comment
Did you find a solution to this issue? I.e. not having to share two different records with the same user?
Posted by
foffer
Up vote reply of foffer Down vote reply of foffer
Add a Comment
Indeed, a CKShareParticipant can only have one permission for the entire share. If taking a dual-share approach, one idea might be to include the share URL for the second share in the first share (either as a custom field on the first CKShare itself or a custom CKRecord type which is part of the first share. That way, the owner only needs to distribute a share URL for the first share to the invited participant. Once the invited participant accepts the first share, your code could read the share URL for the second share and accept the second share on behalf of the participant.
Posted by
ProbablyRusty
Up vote reply of ProbablyRusty Down vote reply of ProbablyRusty
Add a Comment