2009/7/20 Chris Anderson <[email protected]>: > On Mon, Jul 20, 2009 at 12:19 AM, Benoit Chesneau<[email protected]> wrote: >> 2009/7/20 Chris Anderson <[email protected]>: >>> Devs, >>> >>> I've just committed a patch (r795687) that adds the ability to filter >>> _changes requests with a JavaScript function. >>> >>> The function signature is: >>> >>> function(doc, req, userCtx) { >>> return (true or false); >>> } >>> >>> When it returns true (or something truthy, like a non-empty string or >>> a non-zero number), the change is passed along to the user, otherwise >>> it is skipped. >>> >>> The filter functions are stored on design documents under the >>> "filters" field. The current best source of documentation is the >>> changes.js test. >>> >>> To query changes with a filter, the syntax is like: >>> >>> GET /db/_changes?filter=ddocname/filtername >>> >>> The biggest problem with this patch is that it uses a JavaScript OS >>> process per connected filtered listener. Fixing this is an >>> optimization as it won't effect the API, which is why I'm comfortable >>> committing this. >>> >>> I'd appreciate some review to make sure the implementation is on the >>> right track. >>> >>> Cheers, >>> Chris >>> >>> -- >> >> Implementation seems good for me and tests pass. For userCtx filtering >> I guess it would be needed to have a way to filter all changes without >> passing any parameter to forbid all changes read. Maybe by adding a >> main validate_changes on top of a design doc ? Same args but this >> fucntion would be applied on all changes. What do you think about it ? >> > > I think you're suggesting using filtered changes as a security > mechanism?
Not exactly, since you can filter on userCtx, it may be needed to forbid user who don't have to see these changes, if not usres can just use url without filter to access to all changes. I was just thinking on a way to "hide" changes for some user (if role = blahblah don't show this change). Maybe the easier way to to it is passing a global function that works like filter but as a default. Just thinking anyway. - benoît
