(backend)
| 240 | |
| 241 | describe('access control', function() { |
| 242 | function setupOpMiddleware(backend) { |
| 243 | backend.use('apply', function(request, next) { |
| 244 | request.priorAccountId = request.snapshot.data && request.snapshot.data.accountId; |
| 245 | next(); |
| 246 | }); |
| 247 | backend.use('commit', function(request, next) { |
| 248 | var accountId = (request.snapshot.data) ? |
| 249 | // For created documents, get the accountId from the document data |
| 250 | request.snapshot.data.accountId : |
| 251 | // For deleted documents, get the accountId from before |
| 252 | request.priorAccountId; |
| 253 | // Store the accountId for the document on the op for efficient access control |
| 254 | request.op.accountId = accountId; |
| 255 | next(); |
| 256 | }); |
| 257 | backend.use('op', function(request, next) { |
| 258 | if (request.op.accountId === request.agent.accountId) { |
| 259 | return next(); |
| 260 | } |
| 261 | var err = {message: 'op accountId does not match', code: 'ERR_OP_READ_FORBIDDEN'}; |
| 262 | return next(err); |
| 263 | }); |
| 264 | } |
| 265 | |
| 266 | it('is possible to cache add additional top-level fields on ops for access control', function(done) { |
| 267 | setupOpMiddleware(this.backend); |
no test coverage detected
searching dependent graphs…