We want users visiting:
https://nodosdeconocimiento.es/feedbackto submit feedback about nodosdeconocimiento.es, while the resulting private Seed documents are created under:
seedteamtalks.hyper.mediaUsers should not need write permission on seedteamtalks.hyper.media.
Current issue
The current implementation publishes directly from the browser.
That means the browser user signs the document creation request and publishes the private document into the target Seed account.
This only works if the user has write capability on that target account.
For this feedback flow, that does not fit: users submitting feedback should not need write access to seedteamtalks.hyper.media.
Proposed approach
The /feedback page should submit the form to a server endpoint on the same site:
POST /hm/api/feedbackThe server receives the structured feedback payload, validates it, and then creates the private Seed document under the Seed Team Talks account.
The flow becomes:
1. User opens https://nodosdeconocimiento.es/feedback
2. User fills the feedback form
3. Browser sends the feedback to /hm/api/feedback
4. The server validates the submission
5. The server publishes a private document under seedteamtalks.hyper.media
6. The user sees a thank-you confirmationWhy this is better
This avoids requiring each submitting user to have write access to the feedback destination.
It also keeps the browser flow simple:
POST /hm/api/feedbackBenefits:
no cross-origin browser complications
no need to grant users write access to Seed Team Talks
easier local testing
clearer security model
feedback is centralized in one Seed Team Talks location
the user experience remains native to
nodosdeconocimiento.es
Server permissions
The nodosdeconocimiento.es server must be authorized to publish into the Seed Team Talks account, by granting the server signer write capability on the Seed Team Talks account
Configuration
The web config should include both:
{
"registeredAccountUid": "NODOS_SITE_ACCOUNT_UID",
"feedbackDestinationAccountUid": "SEED_TEAM_TALKS_ACCOUNT_UID",
"feedbackDestinationLabel": "seedteamtalks.hyper.media"
}registeredAccountUid remains the account for the site being served:
nodosdeconocimiento.esfeedbackDestinationAccountUid is the account where feedback documents are created:
seedteamtalks.hyper.mediaCreated document content
Each private feedback document should clearly record what the feedback is about:
Tipo: Feedback
Formulario: /feedback
Origen: Formulario web
Página evaluada: nodosdeconocimiento.es
URL: https://nodosdeconocimiento.es/
Guardado en: seedteamtalks.hyper.media
Visibilidad: Privado
Fecha de envío: ...Then the document should include the non-empty form answers.
Frontend behavior
The /feedback page should no longer require the user to have write capability on the feedback destination.
Instead:
user fills out the form
submit button sends the structured payload to
/hm/api/feedbackserver handles the private document creation
success state confirms the feedback was received
the UI does not need to show a private document link unless the user is allowed to view that document
Authentication decision
This architecture can support either authenticated or anonymous submissions.
If submissions should be authenticated, the server endpoint should verify the user session before accepting feedback.
If anonymous submissions are acceptable, the endpoint can accept the feedback payload directly, with rate limiting or spam protection added later.
Summary
The feedback flow should move from browser-side document publishing to server-side document creation.
Users submit feedback through nodosdeconocimiento.es, and the server creates a private Seed document under seedteamtalks.hyper.media.
This gives us centralized feedback collection without requiring users to have write access to the destination Seed account.
Do you like what you are reading? Subscribe to receive updates.
Unsubscribe anytime