1

I am using Couchbase's Sync Gateway and want to restrict the access to the documents. Furthermore, the individual restriction for each document should take into account what is currently happening: The document is just being read or it is either being created or changed in some way. To this end, I can use oldDoc and deleted:

  • create: oldDoc will be undefined
  • read: ???
  • update: oldDoc is an object without the property deleted : true
  • delete: oldDoc is an object with the property deleted : true

Basically, "CUD" is documented. What I have not found out so far, is how I restrict the Read access to the documents.

E.g. there may be an admin user who is allowed to create, update and delete a specific type of document (and of course see it). A normal user on the other hand would only be allowed to see this document but could neither create nor update / delete it.

Bastian
  • 4,638
  • 6
  • 36
  • 55

1 Answers1

1

I think this is a good use case for using the role api available in the sync function.

For example, the admin user would have the admin role. You can assign a role to a user with the role function.

Then both the normal and admin user have access to the channel containing the document.

And use the requireRole function to check the user has the admin role to allow the CUD operations.

jamiltz
  • 1,144
  • 8
  • 15
  • Ah, got it! I just extended the sync function with `requireRole('admin')`. By doing so the visibility (GET) was not influenced but changes to documents (specifically ADD) could only be conducted by the admin. So the fundamental idea seems to be the distinction between channels (used for GET) and requireUser/Role (used for PUT, POST and DELETE). This is kind of weird but I am glad that it works now. – Bastian May 22 '15 at 13:59