I am creating an workout app that will keep track of lots of client data such as workouts, fitness goals and so on. My questions is to store client data should I use the users collection for this or create a separate collections for workouts, profile type information and so on. When creating a client this must also create a new account and I store all information currently in the profile but not sure thats the best option because each client has a createdBy field which says who created them and they are only shown to that Trainer. When the client logs in though they can see the ID of the person that created them since its in the profile, is this a security issue? They cant update anything from the client side since I have a deny rule set but im just wondering if this is bad practice.
I can’t foresee why someone knowing the userId of their creator would be a security issue - as long as your allow/deny rules are all properly setup.
An alternative would be to save the creator id outside of the profile field, that way it wouldn’t be automatically published to the client.
Hope that’s some help!