mers icon indicating copy to clipboard operation
mers copied to clipboard

Published 20 hours ago verified publisher icon jspears

Filter by ObjectIds

Open kersten opened this issue 11 years ago • 5 comments

Hello,

I have a collection where the documents are matched against a user_id. So my document looks something like this:

{
    "duration": "00:20",
    "name": "Samplename",
    "user_id": { "$oid" : "51d299b48e8ab7da3a000003" },
    "__v": 0,
    "_id": { "$oid" : "51d29c79579343a63b000003" }
}

Is there an easy way of just fetching documents where the user_id matches when I GET the documents? Filter doesn't work because you are using a RegEx which will not work with ObjectId fields.

kersten avatar Jul 04 '13 14:07 kersten

Creating a finder is the easiest way

Sent from my iPhone

On Jul 4, 2013, at 10:08 AM, Kersten Burkhardt [email protected] wrote:

Hello,

I have a collection where the documents are matched against a user_id. So my document looks something like this:

{ "duration": "00:20", "name": "Samplename", "user_id": { "$oid" : "51d299b48e8ab7da3a000003" }, "__v": 0, "_id": { "$oid" : "51d29c79579343a63b000003" } }

Is there an easy way of just fetching documents where the user_id matches when I GET the documents? Filter doesn't work because you are using a RegEx which will not work with ObjectId fields.

— Reply to this email directly or view it on GitHubhttps://github.com/jspears/mers/issues/9 .

jspears avatar Jul 04 '13 14:07 jspears

Ok, got that. But how would you implement security? You write that it should be a good place to use a transformer, but how would I get the currently logged in user? I cannot get the session object, or do I miss something?

kersten avatar Jul 04 '13 14:07 kersten

You can use a filter and capture the user. Due to nodes threading model you can do things you wouldn't do in other frameworks. I use passport for general security it works fine. For more granular security transformers and filters should work.

Sent from my iPhone

On Jul 4, 2013, at 10:32 AM, Kersten Burkhardt [email protected] wrote:

Ok, got that. But how would you implement security? You write that it should be a good place to use a transformer, but how would I get the currently logged in user? I cannot get the session object, or do I miss something?

— Reply to this email directly or view it on GitHubhttps://github.com/jspears/mers/issues/9#issuecomment-20480078 .

jspears avatar Jul 04 '13 14:07 jspears

How can you use transformers for security? Surely all the user needs to do to circumvent it is make a request and strip any transformers or filters?

gausie avatar Sep 19 '13 17:09 gausie

well, you can override the transformers in the route preventing someone from just injecting transformers in there. req.get('/rest/api/*', function(req, res, next){

req.query.transformers = ['yourselecurity transformer']; next(); });

On Thu, Sep 19, 2013 at 1:25 PM, Samuel Gaus [email protected]:

How can you use transformers for security? Surely all the user needs to do to circumvent it is make a request and strip any transformers or filters?

— Reply to this email directly or view it on GitHubhttps://github.com/jspears/mers/issues/9#issuecomment-24757447 .

jspears avatar Sep 20 '13 16:09 jspears