I’d like to create a public app (going to be used by about 500 people) which also forces people to authenticate (with Google for example). I’d like to make sure that users are who they say they are.
Then I’d like to be able to run queries against a database resource using a validated identifier.
So for example, if a user auths as firstname.lastname@example.org, I could use the current_user.email and look up a table of permissions for email@example.com and only run with the appropriate permissions. And I don’t want to invite 500 users into our retool account.
Is this doable? And is it secure (or could the person just edit their current_user.email value in the console to get permissions they shouldn’t be able to).