Ah... roles... Yes, indeed. It occurs to me that "codename-" prefix is unnecessary.
Am I right? slim On Friday, October 16, 2015 at 2:25:19 PM UTC-4, Jens Alfke wrote: > > > On Oct 16, 2015, at 7:14 AM, Seung Chan Lim <[email protected] > <javascript:>> wrote: > > 1. have users create documents > 2. only allow the user that created the document to edit the document > (i.e. in the sync function check the "owner" attribute to be the same as > the authenticated user) > 3. allow everyone see the document (i.e. put it in a "public" channel) > 4. hide who created the document from people other than the creator > > > This is tricky. By design, there isn’t any hidden information in > documents. That’s because we support multi-master replication where docs > might pass through multiple servers/peers, so there isn’t just one source > of ‘truth’. I think the best you can do is to *obscure* the creator, so > that it’s possible to tell that two revisions were written by the same > creator without revealing who that creator is. > > I came up with a clever solution that relies on encrypting the username. > Unfortunately it would require the sync function to decrypt it, but it > isn’t practical to do that because there are no encryption APIs available, > and implementing them in JS in the sync fn would be too slow. :( > > Then JChris came up with an even more clever solution, and I simplified it > a little bit: > > > - For every user, pick a secret string as their ‘codename’. It needs > to be unique, and it needs to be impossible to derive the username from > the > codename. > - Create a role named "codename-“+codename, and grant only that user > that role. > - The client needs to know the user's codename somehow. > - When a client creates a new document, it adds a property “codename” > whose value is the user’s codename. > - The sync function then calls requireRole("codename-"+doc.codename) > > > —Jens > -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/a2d91b31-949f-47f7-8b4a-d1505affc36e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
