Lesson 17

Restricting Document Updates

Increase security by restricting who can update documents


Lesson Outline

Restricting Document Updates

Earlier, we added some buttons to edit and delete notices, and we only display those buttons if the author of the notice matches the currently logged in user (we only want users to be able to edit and delete their own notices).

However, you should never rely on the front end to enforce security rules. Javascript is client side, so it's easy enough for people to modify it and get around whatever kind of security you implement to restrict this. In order to enforce these rules, we need to do it outside of the front end. Typically this means having the server handle access control, but in the case of CouchDB we are going to implement security rules directly into the database itself with validate_doc_update functions.

Using validate_doc_update to Implement Access Control

Previously in this module, we used design documents to implement views for the database. We created a view that allows us to grab a list of notices ordered by the date they were last updated and a list of chats by the date they were created.

We are going to extend our design documents to include a validate_doc_update function, which is implemented in a very similar way to a view. Instead of supplying a map function to the view, we will supply a different kind of function to validate_doc_update.

Let's take a look at the function we will be using right now because I think it will be easier to explain if you can see it first.


Thanks for checking out the preview of this lesson!

The full version of this lesson is only available to pro members. If you would like full access to this module and all of the other pro modules on Elite Ionic you can become a pro member (or log in if you are already a member).