I'm not sure if this belongs in this location but I'm hoping someone can help with some security logic.
Here's what I'm trying to achieve:
I have set up a new stream ("Stream_Development") for developing apps along with its own property for access (@DevStream).
I have also set up a custom app property for @Testing.
I can grant access to users using the @DevStream property, but when the @Testing property is set to false on an individual app, the app shouldn't show.
I also have a @Developer property for users who should be able to see all apps in the stream regardless of the state of the @Testing property.
When we want to open that app up to other users for testing, setting the @Testing property should then show it to other users with access to the stream.
It seems like a simple enough concept and I've managed to get the logic working - however in doing so I broke everything else and all users were unable to see any apps but their own (in every stream).
Here's what I've got so far:
I've been manipulating the Stream security rule as that's the only one that I can see that impacts visibility of all apps - but there's clearly something wrong with my logic. The changes I have made are below:
app.stream.name != "Stream_Development" and (
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))
or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
app.stream.name ="Stream_Development" and (resource.@Testing="True" or user.@Developer="True")
The indented block is the original rule with my additions surrounding it.