I’m working on a mobile project with the sync gateway.
Everything works fine but I’ve got one crucial question about the admin rest API.
It’s something like a chat application, but in my case, using a ‘members’ field in the docs to use an access() or role() in the sync function is a security hole.
So when a ‘chatroom’ is created or updated, I trigger a web hook event to my app server, that does a change in user channels and roles to give access. This change depends from another database.
So my question ?
What happens if several concurrent modifications (read and add something in the admin_channels/roles Array of the user) are made ?
The conflict is easy to handle in the docs with the _rev number, but in the _user/docs, there are no revisions…
- process 1 reads user1 roles
- process 2 reads user roles
- process 1 adds a role in the admin_roles array
- process 2 adds a another role in the admin_roles array
- process 1 curl the change
- process 2 curl the change…
Thank you for your response, it’s really a critical aspect of my app.