incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis Paul ...@visPaul.me>
Subject Detecting upload of a standalone attachment in validate_doc_update functions
Date Sun, 24 Feb 2013 16:36:04 GMT
I found myself in a slight pickle today with standalone attachments and
validate_doc_update functions. Let me explaining my situation and possible
solution.

My validate_doc_update function is kinda like this:

...
if (userCtx.name !== newDoc.author) {
    throw({forbidden: 'Author does not match the authenticated user's name.'});
}
...

This is to ensure that Alice can't edit a document as Bob. I don't
mind if Alice edits Bob's document but when she does, she must be the
new 'author' (We really use 'author' as 'last-modified-by').


However this check falls apart when uploading a standalone attachment
in the following situation:

1) Bob creates a document.

2) Fred tries to add an attachment to Bob's document.

The validate_doc_update functions is executed but newDoc is just a
copy of current doc in Couch so userCtx.name is 'Fred' and
newDoc.author is 'Bob'. Whoops no go.

My solution is to simply have Fred save the document before uploading
an attachment (thus becoming the last 'author'. That's not so bad and
kinda makes sense because it is valuable to know who uploaded the last
attachment.

Just curious if anyone else has any better suggestions or if the
re-save approach makes the most sense.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message