On Oct 16, 2015, at 7:14 AM, Seung Chan Lim
<[email protected]<mailto:[email protected]>> wrote:
1. have users create documents
2. only allow the user that created the document to edit the document (i.e. in
the sync function check the "owner" attribute to be the same as the
authenticated user)
3. allow everyone see the document (i.e. put it in a "public" channel)
4. hide who created the document from people other than the creator
This is tricky. By design, there isn’t any hidden information in documents.
That’s because we support multi-master replication where docs might pass
through multiple servers/peers, so there isn’t just one source of ‘truth’. I
think the best you can do is to obscure the creator, so that it’s possible to
tell that two revisions were written by the same creator without revealing who
that creator is.
I came up with a clever solution that relies on encrypting the username.
Unfortunately it would require the sync function to decrypt it, but it isn’t
practical to do that because there are no encryption APIs available, and
implementing them in JS in the sync fn would be too slow. :(
Then JChris came up with an even more clever solution, and I simplified it a
little bit:
* For every user, pick a secret string as their ‘codename’. It needs to be
unique, and it needs to be impossible to derive the username from the codename.
* Create a role named "codename-“+codename, and grant only that user that
role.
* The client needs to know the user's codename somehow.
* When a client creates a new document, it adds a property “codename” whose
value is the user’s codename.
* The sync function then calls requireRole("codename-"+doc.codename)
—Jens
--
You received this message because you are subscribed to the Google Groups
"Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/mobile-couchbase/860AF4C3-C24E-42A1-9B5D-76C4EEC36AD1%40couchbase.com.
For more options, visit https://groups.google.com/d/optout.