I am playing around with CouchDB and PouchDB for a project where users have their own database and can add each other to view, or edit their docs.
Goal is to have different levels of accessibility: Depending on the docs themselves other users, who are not the docs.owner will have limited writing/updating permissions. The databases owner/admin grants those privileges.
I am not sure how to properly implement that.
At the moment my solution for this is to let the DBs owner "befriend" other users and add them as members to db/_security, while limiting the writing rights with a _design document like described in: https://github.com/pouchdb-community/pouchdb-authentication/blob/master/docs/recipes.md
But I need a mixture of user specific and DBs specific permissions. So my strategy is to also let the user/owner add special roles besides the default "members" and "admins" to db/_security.
Example:
A user paula owns the DB paulas_DB and wants to grant user jan the right to change the property "location" of every document. So Paula adds jan to members.names in _security and adds a new list to _security called "movers":
curl -X PUT $HOST/paulas_DB/_security -d '{"members":{"names":["admin","paula","jan"],"roles":[]},"admins":{"names":["admin","paula"]},"movers":["jan"]}'
the docs in paulas_DB are structured like this:
{
"_id": "y",
"_rev": "7-x",
"owner": "paula",
"location": "somewhere",
"name":"thing"
}
now there there is a design document in place in her database, checking that anyone who wants to change the document in general is at least a member AND then checking if they want to change location like this:
function (newDoc, oldDoc, userCtx, secObj) {
// only admins owners or friends of the owner (aka users in the _security members.names list) can edit
if (userCtx.roles.indexOf('_admin') === -1 && oldDoc.owner !== userCtx.name && secObj.members.names.indexOf(userCtx.name) === -1)
{
// next step: add special fields to be either editable or not
throw({forbidden : "sorry. you are not the owner of this document"});
}
// only owners users who are also listed within _security.movers can change the location
if (oldDoc.location !== newDoc.location && oldDoc.owner !== userCtx.name && secObj.movers.indexOf(userCtx.name) === -1)
{
throw({forbidden : "you are not allowed to change the location of an item, dummie!"})
}
}
This method seems to work and was fairly straight forward, but something feels off to add non-standard properties into _security.
Is there another, propper way to do the same thing? Or is that an acceptable design for a document/user specific permission system?