From user-return-13747-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org Tue Nov 16 21:01:17 2010
Return-Path: <user-return-13747-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: (qmail 30202 invoked from network); 16 Nov 2010 21:01:17 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 16 Nov 2010 21:01:17 -0000
Received: (qmail 72525 invoked by uid 500); 16 Nov 2010 21:01:45 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 72496 invoked by uid 500); 16 Nov 2010 21:01:45 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 72488 invoked by uid 99); 16 Nov 2010 21:01:45 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Nov 2010 21:01:45 +0000
X-ASF-Spam-Status: No, hits=0.7 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [80.244.253.218] (HELO mail.traeumt.net) (80.244.253.218)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Nov 2010 21:01:39 +0000
Received: from [192.168.178.25] (brln-d9ba6c63.pool.mediaWays.net [217.186.108.99])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mail.traeumt.net (Postfix) with ESMTPSA id E4D443C2B6
	for <user@couchdb.apache.org>; Tue, 16 Nov 2010 22:01:17 +0100 (CET)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1082)
Subject: Re: Allowing specific field value updates only
From: Jan Lehnardt <jan@apache.org>
In-Reply-To: <AANLkTi=9m2ir8dLuxVdwpMTHonsMGGdJu-r4w4MyHzTd@mail.gmail.com>
Date: Tue, 16 Nov 2010 22:01:17 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <0AE1A4F9-E275-4D44-A0B1-7ADCD9752857@apache.org>
References: <AANLkTikvJWKGV6X-a_HHAZVjaACLypGgk43iQmt2J+kV@mail.gmail.com> <AANLkTi=9m2ir8dLuxVdwpMTHonsMGGdJu-r4w4MyHzTd@mail.gmail.com>
To: user@couchdb.apache.org
X-Mailer: Apple Mail (2.1082)


On 16 Nov 2010, at 18:40, Robert Newson wrote:

> a validation function will have the current document, the proposed new
> document, and the user context, so it should be simple to enforce
> these conditions.

In code:

  function(newDoc, oldDoc, userCtX) {
    if(userCtx.roles.indexOf("_admin") =3D=3D -1) { // not an admin
      if(newDoc.field > oldDoc.field) { // your condition is this
        throw({forbidden : message});
      }
    }
  }

Cheers
Jan
--=20


>=20
> B.
>=20
> On Tue, Nov 16, 2010 at 5:30 PM, Wordit Ltd <wordituk@googlemail.com> =
wrote:
>> Can anybody think of a way to allow _user to decrease a field value,
>> but not increase it?
>> Increments would only be allowed to _admin. I can only think to
>> compare the new value with the old one and see if it is greater or
>> less.
>>=20
>> Would that work in a validation function, and is it secure?
>>=20
>> I'm trying keep as many update actions to the client-side. If I let
>> admin do all the updates then I have to use an Ajax call to the
>> server.
>>=20
>> Marcus
>>=20