Re: document-level access control
On Feb 3, 2015, at 8:16 AM, Seung Chan Lim djs...@gmail.com wrote: How about removing a user from a role? I'm not seeing any mention of that on that page or on google. I assume you can't just manually edit the roles attribute of the user account doc? If the sync function adds a user to a role, that action is associated with that document. If the next edit of the document changes it such that the sync function no longer makes that role() call, then the user won't be added to the role anymore, so they won't have the role (unless something else is still giving to them.) What's actually going on is that every document has ACL metadata that lists what users should be given which roles, and access to which channels. This metadata is rewritten by the sync function every time the document is updated. The users' role memberships and channel access are computed by merging together the ACLs of all documents. —Jens -- You received this message because you are subscribed to the Google Groups Couchbase Mobile group. To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchbase+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/6CACFD69-3B19-416B-BC20-F322806C4E46%40couchbase.com. For more options, visit https://groups.google.com/d/optout.
Re: document-level access control
How about removing a user from a role? I'm not seeing any mention of that on that page or on google. I assume you can't just manually edit the roles attribute of the user account doc? On Sunday, February 1, 2015 at 12:11:18 PM UTC-5, Jens Alfke wrote: On Feb 1, 2015, at 5:04 AM, Seung Chan Lim djs...@gmail.com javascript: wrote: Are there more on how to create roles, add/remove users from it, etc? There's a role() http://developer.couchbase.com/mobile/develop/guides/sync-gateway/sync-function-api-guide/routing/index.html#role function that the sync function can call, to give a role to a user. —Jens -- You received this message because you are subscribed to the Google Groups Couchbase Mobile group. To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchbase+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/94b11084-90e4-4987-8554-382647b521db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: document-level access control
Ah... Membership documents! Indeed. That's a great idea! Thank you.
As per roles. Is the following all the documentation available for roles?
http://developer.couchbase.com/mobile/develop/guides/sync-gateway/administering-sync-gateway/authorizing-users/index.html#roles
Are there more on how to create roles, add/remove users from it, etc?
slim
On Saturday, January 31, 2015 at 2:51:34 PM UTC-5, Jens Alfke wrote:
That's one way to do it. Another way is to create a separate doc for every
user membership, looking something like
{type: membership, doc: some_document_id, member: jens}
Then you set up the sync function to recognize this doc type and use it to
grant jens access to channel some_document_id.
The tradeoff is between one big document, or lots of small documents. (Or
you can have an intermediate, like the above example but you make the
member property an array so it can grant access to multiple users with
one doc.)
If you expect users to be grouped together, you can bring roles into it —
have the master doc list the roles it grants access to, and per-user docs
stating what roles the user is in.
—Jens
--
You received this message because you are subscribed to the Google Groups
Couchbase Mobile group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mobile-couchbase+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/mobile-couchbase/92fad6dd-63a0-479f-b244-fbc8aacaff03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: document-level access control
On Feb 1, 2015, at 5:04 AM, Seung Chan Lim djs...@gmail.com wrote: Are there more on how to create roles, add/remove users from it, etc? There's a role() http://developer.couchbase.com/mobile/develop/guides/sync-gateway/sync-function-api-guide/routing/index.html#role function that the sync function can call, to give a role to a user. —Jens -- You received this message because you are subscribed to the Google Groups Couchbase Mobile group. To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchbase+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/E5FB3D32-6D94-46E2-8BA2-997AA3C9BD88%40couchbase.com. For more options, visit https://groups.google.com/d/optout.
Re: document-level access control
That's one way to do it. Another way is to create a separate doc for every user
membership, looking something like
{type: membership, doc: some_document_id, member: jens}
Then you set up the sync function to recognize this doc type and use it to
grant jens access to channel some_document_id.
The tradeoff is between one big document, or lots of small documents. (Or you
can have an intermediate, like the above example but you make the member
property an array so it can grant access to multiple users with one doc.)
If you expect users to be grouped together, you can bring roles into it — have
the master doc list the roles it grants access to, and per-user docs stating
what roles the user is in.
—Jens
--
You received this message because you are subscribed to the Google Groups
Couchbase Mobile group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mobile-couchbase+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/mobile-couchbase/27744146-C6EC-4005-A905-B9C6818AC795%40couchbase.com.
For more options, visit https://groups.google.com/d/optout.
