You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Wordit Ltd <wo...@googlemail.com> on 2010/11/16 18:30:10 UTC
Allowing specific field value updates only
Can anybody think of a way to allow _user to decrease a field value,
but not increase it?
Increments would only be allowed to _admin. I can only think to
compare the new value with the old one and see if it is greater or
less.
Would that work in a validation function, and is it secure?
I'm trying keep as many update actions to the client-side. If I let
admin do all the updates then I have to use an Ajax call to the
server.
Marcus
Re: Allowing specific field value updates only
Posted by Jan Lehnardt <ja...@apache.org>.
On 17 Nov 2010, at 22:12, Mike Fedyk wrote:
> On Wed, Nov 17, 2010 at 4:02 AM, Wordit Ltd <wo...@googlemail.com> wrote:
>> On Tue, Nov 16, 2010 at 10:01 PM, Jan Lehnardt <ja...@apache.org> wrote:
>>>
>>> function(newDoc, oldDoc, userCtX) {
>>> if(userCtx.roles.indexOf("_admin") == -1) { // not an admin
>>> if(newDoc.field > oldDoc.field) { // your condition is this
>>> throw({forbidden : message});
>>> ...
>>
>> Many Thanks. Aha! So this is what oldDoc is good for :-)
>> I'm new to CouchDB and could not find a reason to specify oldDoc.
>>
>> I couldn't figure out how to pass the new value, being in a variable,
>> to the validation function. From this example I see that CouchDB has
>> both old and new fields internally which can be accessed via oldDoc
>> and newDoc. It seems obvious now, but although I've read the docs and
>> book chapters on the subject it was not clear what was happening.
>>
>> Some examples in the CouchDB book and docs, like this using oldDoc and
>> newDoc fields would be helpful to newbies.
>>
>
> Kinda late now, but maybe it should be called "currentDoc".
> Especially since you're possibly rejecting the newDoc, it just may not
> be old anymore. ;)
The naming is arbitrary, for all CouchDB is concerned you can write this:
function(fatherson, monkeykid, what) {
...
}
Cheers
Jan
--
Re: Allowing specific field value updates only
Posted by Mike Fedyk <mf...@mikefedyk.com>.
On Wed, Nov 17, 2010 at 4:02 AM, Wordit Ltd <wo...@googlemail.com> wrote:
> On Tue, Nov 16, 2010 at 10:01 PM, Jan Lehnardt <ja...@apache.org> wrote:
>>
>> function(newDoc, oldDoc, userCtX) {
>> if(userCtx.roles.indexOf("_admin") == -1) { // not an admin
>> if(newDoc.field > oldDoc.field) { // your condition is this
>> throw({forbidden : message});
>> ...
>
> Many Thanks. Aha! So this is what oldDoc is good for :-)
> I'm new to CouchDB and could not find a reason to specify oldDoc.
>
> I couldn't figure out how to pass the new value, being in a variable,
> to the validation function. From this example I see that CouchDB has
> both old and new fields internally which can be accessed via oldDoc
> and newDoc. It seems obvious now, but although I've read the docs and
> book chapters on the subject it was not clear what was happening.
>
> Some examples in the CouchDB book and docs, like this using oldDoc and
> newDoc fields would be helpful to newbies.
>
Kinda late now, but maybe it should be called "currentDoc".
Especially since you're possibly rejecting the newDoc, it just may not
be old anymore. ;)
Re: Allowing specific field value updates only
Posted by Jan Lehnardt <ja...@apache.org>.
On 17 Nov 2010, at 13:02, Wordit Ltd wrote:
> On Tue, Nov 16, 2010 at 10:01 PM, Jan Lehnardt <ja...@apache.org> wrote:
>>
>> function(newDoc, oldDoc, userCtX) {
>> if(userCtx.roles.indexOf("_admin") == -1) { // not an admin
>> if(newDoc.field > oldDoc.field) { // your condition is this
>> throw({forbidden : message});
>> ...
>
> Many Thanks. Aha! So this is what oldDoc is good for :-)
> I'm new to CouchDB and could not find a reason to specify oldDoc.
>
> I couldn't figure out how to pass the new value, being in a variable,
> to the validation function. From this example I see that CouchDB has
> both old and new fields internally which can be accessed via oldDoc
> and newDoc. It seems obvious now, but although I've read the docs and
> book chapters on the subject it was not clear what was happening.
>
> Some examples in the CouchDB book and docs, like this using oldDoc and
> newDoc fields would be helpful to newbies.
Good point, I'll see if I can add this to the book.
Cheers
Jan
--
Re: Allowing specific field value updates only
Posted by Wordit Ltd <wo...@googlemail.com>.
On Tue, Nov 16, 2010 at 10:01 PM, Jan Lehnardt <ja...@apache.org> wrote:
>
> function(newDoc, oldDoc, userCtX) {
> if(userCtx.roles.indexOf("_admin") == -1) { // not an admin
> if(newDoc.field > oldDoc.field) { // your condition is this
> throw({forbidden : message});
> ...
Many Thanks. Aha! So this is what oldDoc is good for :-)
I'm new to CouchDB and could not find a reason to specify oldDoc.
I couldn't figure out how to pass the new value, being in a variable,
to the validation function. From this example I see that CouchDB has
both old and new fields internally which can be accessed via oldDoc
and newDoc. It seems obvious now, but although I've read the docs and
book chapters on the subject it was not clear what was happening.
Some examples in the CouchDB book and docs, like this using oldDoc and
newDoc fields would be helpful to newbies.
Marcus
Re: Allowing specific field value updates only
Posted by Jan Lehnardt <ja...@apache.org>.
On 16 Nov 2010, at 18:40, Robert Newson wrote:
> a validation function will have the current document, the proposed new
> document, and the user context, so it should be simple to enforce
> these conditions.
In code:
function(newDoc, oldDoc, userCtX) {
if(userCtx.roles.indexOf("_admin") == -1) { // not an admin
if(newDoc.field > oldDoc.field) { // your condition is this
throw({forbidden : message});
}
}
}
Cheers
Jan
--
>
> B.
>
> On Tue, Nov 16, 2010 at 5:30 PM, Wordit Ltd <wo...@googlemail.com> wrote:
>> Can anybody think of a way to allow _user to decrease a field value,
>> but not increase it?
>> Increments would only be allowed to _admin. I can only think to
>> compare the new value with the old one and see if it is greater or
>> less.
>>
>> Would that work in a validation function, and is it secure?
>>
>> I'm trying keep as many update actions to the client-side. If I let
>> admin do all the updates then I have to use an Ajax call to the
>> server.
>>
>> Marcus
>>
Re: Allowing specific field value updates only
Posted by Robert Newson <ro...@gmail.com>.
a validation function will have the current document, the proposed new
document, and the user context, so it should be simple to enforce
these conditions.
B.
On Tue, Nov 16, 2010 at 5:30 PM, Wordit Ltd <wo...@googlemail.com> wrote:
> Can anybody think of a way to allow _user to decrease a field value,
> but not increase it?
> Increments would only be allowed to _admin. I can only think to
> compare the new value with the old one and see if it is greater or
> less.
>
> Would that work in a validation function, and is it secure?
>
> I'm trying keep as many update actions to the client-side. If I let
> admin do all the updates then I have to use an Ajax call to the
> server.
>
> Marcus
>