Access Rights (and Channels)

blanke · May 11, 2016, 2:43pm

I’ve a question concerning channels and access rights to documents.

Background:
In our mobile app we store a user profile document for users that login with Facebook. We want to share this profile across multiple devices of the same user.

Our current sync function assigns each user to his own channel “profile-“+:

if(doc.className == “user-profile”){

doc.public = false;

if(doc.facebookId){
// Facebook profile

 requireUser(doc.facebookId);

 channel("profile-"+doc.facebookId);      
 access([doc.facebookId, "admin"], "profile-"+doc.facebookId);

 console.log("assigned to profile channel: "+doc._id);

}
}

Is this a reasonable approach or is there something we could do better? Specifically, is there a way to only use one "profile” channel that all users sync to, but restrict access based on the authenticated user?

Does this approach scale to > 100k users?

Thanks a lot.

agillette · May 11, 2016, 7:39pm

Hi @blanke,

I’m not sure if my answer is correct. But I like to view channels like pipelines. On one side of the pipeline are documents that assigned through the channel function. On the other side of the pipeline are the users that have access through the access function or when you define the “channel” property during user creation. Anything on the same channel is connected to each other. So if you only want a specific user to access their own profile document, then you’ll need to create a new channel for each user/profile document combination.

Crapulax · May 11, 2016, 10:08pm

Hello @blanke,

Not sure of what you want to acheive exactly and may be that you skip some part of your sync function. But as it is in this post, you will have a security issue. Nothing prevents a user to update this profile document with his own facebook id and get then access to the document.
You need to check that the oldDoc.fbid == doc.fbid and or check in update case the requireuser(oldDoc.fbid).

Regarding your original question, if the user authenticate itself with the same user, he/she will get access to the same documents including the profile ones.

Hope it helps,
Brgds

blanke · May 18, 2016, 6:45am

Thanks a lot. We also did some other reading. Apparently channels can be quite numerous, which can be used in the way we intended to.

Maybe this can help anyone who is facing similar questions:

https://groups.google.com/forum/#!msg/mobile-couchbase/dIyAu3JAIQM/OYYc979jBQAJ

https://groups.google.com/forum/#!msg/mobile-couchbase/dzwXz6JDhm8/JDg0GC0c_O0J