I have some data for which users can set a flag to specific other users their status. So I have a data type named Availability which contains data for a specific user with a field called contactAvailability which is an array of objects and is read by my app when this users logs in. Now I need other users to be able to update their status in contactAvailability, but from a security POV I want them to be able to update only the object in the array that is relevant for them (so they won't be able to update the status of other users).
To achieve this I though it best to use a Cloud Function. However, I am assuming that a Cloud Function will always run as the user that is logged in when invoking the function right? Is it possible to run it as a user that has access to all objects even when permissions are set to private? If I set the permissions to public then someone can always alter all data from any client right?
Is there another way I can achieve this?
Thanks!