Security: `User` object has no access policy defined

[hdoro]

First of all thank you Alexandra and Scott for the work! This was a good head-start :)

I've noticed your User object has no access policy:

https://github.com/edgedb/nextjs-edgedb-auth-template/blob/95dcd9525c39b070873fe842db440f8470f73e90/dbschema/default.esdl#L13

This means any session can perform CRUD operations on any User in the database (not the identity). Think people reading each-other's emails, malicious actors deleting users... It could be a mess.

This is also the case in the official auth guide. Should this be handled in application logic? AKA should developers always check if the user is the owner of a User object before selecting/modifying it?