These are chat archives for Automattic/mongoose

5th
Dec 2016
Fernando Vega
@vegafx12
Dec 05 2016 00:01
let's say that if i create the Cat model in my app, I want to DOUBLY ENSURE that any time I use that model in my app, it is ONLY able to read and I want the database to error out on that "kitty.save" statement with "permission denied".
in a seperate situation, I may create a DOG model, where something like "...puppy.save..." WOULD be allowed
in that case, I would use mongoose.connect('mongodb://admin:password@localhost/test') to connect as the user with the necessary permissions to perform that "save" action
so this way, I can ensure that if I create a model that performs some database logic, I must ensure that I am connecting to the database with the correct user account. Does that make sense? Sorry, I might be over thinking this a bit...
Eddie Bracho
@ebracho
Dec 05 2016 00:05
Yeah that makes sense. But what's preventing your application from being compromised in a way that allows the malicious user to change db connections?
Fernando Vega
@vegafx12
Dec 05 2016 00:13
well haha you've got me there! I don't know the answer to that. I guess, in reality, if someone wanted to get in, they're going to get i! lol... But, I was hoping that I could at least try and make it a bit more difficult for them to do so. In my actual application, I have an express server serving my client files staticly from my aurelia app.... My aurelia application is handling all data requests through fetch requests to my express api, which has different models setup to connect to the database using different user accounts for various levels of of access
the database config would be in a different javascript file and connect functions exported as modules so the credentials would never be directly exposed through the api
not sure if any of that would make it diffficult at alla