Grant a user access to chat in, but not modify metadata of a Group Chat

I hope to use UIKit for my chat implementation so that I can define a group chat and specify its title and image, but in such a way that chat members cannot change that group chat’s metadata.

Can I set the permissions somehow, or will I have to send all chat interactions through my own API proxy and handle the authorization controls myself?

Hi @jonwolski,

Unless I’m mistaken in specifically what you’re referencing, a user would not be able to update the group chat’s metadata unless you specifically gave them a method to do so.

I did a proof of concept with UIKit.

First, I sign in as “Chloe” the creator. I create a group chat and invite Lara and Joe. I post a message “hi.” I rename the chat “Special Group Chat” and upload an image.

Then I sign in as “Lara” the learner. I go to the group chat and see Chloe’s message. Then I edit the chat and rename it “Special Group Chat Renamed.”

Then I sign back in as Chloe and I see that the group chat is renamed.

Any user that is a member of the group chat can change the chat title or the chat image URL.

My expectation was that Lara would not be able to modify the group chat title that Chloe created.

How can I enforce that constraint?

Hi @jonwolski,

Gotcha, so we’re not referencing the metadata but rather the channel information. What you can do is selectively hide the edit button by changing the css for sendbird-channel-profile__edit to display:non depending on whether or not the user should be able to access the edit options.

That works for the happy path, but a malicious user could still send the API requests to change the content that other users see, and those changes don’t go through the profanity filter or moderation. How do I enforce this outside of just the front-end client?

Hi @jonwolski,

We can enable an ACL attribute on your application that would disallow anyone from updating it via the SDK, but that would also include operators. From the Platform API perspective, they’d need your API Key in order to do so.