Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ensure authorized data access #5

Open
timoweiss opened this issue Dec 21, 2015 · 0 comments
Open

ensure authorized data access #5

timoweiss opened this issue Dec 21, 2015 · 0 comments
Labels
backend-discussion help wanted question

Comments

@timoweiss
Copy link
Member

To ensure no unauthorized data access we need to attach the requesters user_id to the service queries.
This is, of course, not for each action required.
To keep the api of the services consistent, we should define one property name:

  • requester_id, requesterId
  • requesting_user, requestingUser
  • asker :D
  • ...

pls propose/vote @locator-kn/backend

eg. verify that requesting user is part of conversation (get conversation by id):

// given datastructure
{
    _id: ObjectId('abcbcaabc'),
   participants: [{user_id: 'user1', last_read: 0}, {user_id: 'user2', last_read: 0}]
}
// resulting query
collection.find({_id: new ObjectId(conversation_id), 'participants.user_id': requestingUser})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend-discussion help wanted question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timoweiss