Ok to validate within query document?

Asked Jan 25 '14 at 21:44

Active Jan 26 '14 at 07:36

Viewed 50 times

Which is a better trade-off for validation of a common field?

user.groups = [someIds]

db.posts.findOne({ _id: someId, group: someOtherId })

if there's no document returned then I can assume the user is querying for a document outside of their group

--- OR ---

db.posts.findOne({ _id: someId }, function(err, doc){
  if (!~user.groups.indexOf(doc.group)){
    // not validated
  }
})

edited Jan 26 '14 at 07:36

asked Jan 25 '14 at 21:44

paulkon

By validation, are you referring to whether the user has permission to view a post based on their groups? The answer here depends on whether you need to tell the user anything about the post they don't have access to (i.e. a more specific "you don't have permission to view this post" versus just a generic "404: post not found"). Either approach can work depending on what you want to do in your application UI. – Stennie Jan 26 '14 at 00:18
Ah, yes. You're right. I have a few post fetch routes which do need to respond with a 403 and 404 vs only a 404. – paulkon Jan 26 '14 at 07:36
@Stennie So, assuming that the user already has all the information about what they can and cannot view, hence the client-side can effectively handle nearly all validation, would it make sense to integrate the the validation as part of the queries and add those validation fields to the indexes? – paulkon Apr 17 '14 at 19:24

0 Answers0