These are chat archives for Automattic/mongoose

19th
Jun 2018
Kev
@lineus
Jun 19 2018 00:32
@makinde what if you returned an error when the doc shouldn't be viewed and handled that error appropriately ( ie, different response, etc)? simple gist
Kev
@lineus
Jun 19 2018 01:07
The longer I think about it, the better I feel about that being an error. It has the fact that it doesn't obfuscate the normal null response from findOne going for it. It also fits directly into the mongoose pattern of middleware either returning the doc or an error, plus the bonus that a lack of permissions being an error just feels right :)
Makinde Adeagbo
@makinde
Jun 19 2018 01:43

BTW, for context, the module I'm working on is mongoose-authz. The readme is decent, but pretty out of date right now, but you'll get the gist.

It handles lack of permissions on write requests as an error. For read requests (find & findOne), it typically just tries to hide what you can't see. The permissions are down to the individual field level. So if a request is made trying to get a the first_name and last_name fields, but the user is only authorized to see the first_name field, the library will strip out the last_name field and still return the info that the user can see. That let's an application consuming the data still work with what the user can do, and not have to check to see what fields can be accessed before doing the query.

For find requests, the module will strip out entire objects from the result set if the user can't see them. That also feels right. For instance, if you ask for a list of all of someone's photos, but you can only see half of them, the request is still valid, and the correct half of the photos you can see are returned. This is easy for the module to accomplish since it can mutate the array and splice results out of that.

For findOne, the result is just the single object, so it's not possible to return null. I think the answer for how this should behave is the same question about how mongoose should behave natively. Mongoose decided that findOneshould return null when something is not found, and thus it seems like this library should do the same so the sematics of all the methods are the same.

https://github.com/devcolor/mongoose-authz

That said, @lineus , I'm trying to wrap my models with express-restify-mongoose. So I actually think an error would work in my particular case (since findOne is only used for id's), but I'm not sure it's the right, general solution

zedsa
@zedsa
Jun 19 2018 03:16
how come i can use forEach() on mongodb documents/objects? does mongodb documents have small array features, that way we can use forEach()? i use it on EJS and it works.
Kev
@lineus
Jun 19 2018 09:20
The js module that you're using to connect to mongodb (presumably mongoose) can return arrays of documents, for example Model.find().
@zedsa ^
adeeldev
@adeel1dev_gitlab
Jun 19 2018 13:32
Hi,
I have a video schema. now I have to filter videos based on watched and unwatched history of each User . Plus we are tracking data like,
likes,
comments,
shares
associated with this video schema. what will be best schema structure for this ?
for now I am using different collection for Likes, Comments and watched data. then I have to filtering on query based on userId. Things are working. just want to know that if there other best way to do this.
Thanks
adeeldev
@adeel1dev_gitlab
Jun 19 2018 14:15
?
adeeldev
@adeel1dev_gitlab
Jun 19 2018 14:25
is there anybody active in this thread ?
Kev
@lineus
Jun 19 2018 19:37
@adeel1dev_gitlab you'll probably have more luck on the mongodb slack channel here
it's painless to sign up and your question will probably get more attention there.