Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Harald Wiesinger
    @s3ppo
    yeah, but then i have to make a second rule for DELETE only ;-)
    would be cool to have just one acl rule for 1 collection
    Harald Wiesinger
    @s3ppo
    is there a way to automaticaly add the ip address to a clients POST request?
    Andrea Di Cesare
    @ujibang
    you mean the ip of the client making the request?
    Andrea Di Cesare
    @ujibang
    you can add the following properties to the collection
    PUT /collection

{ "addRequestProperties": { "log": [ "userName", "remoteIp" ] } } ] }
    how this will be added to POST /coll, PUT /coll/doc and PATCH /coll/doc
    Harald Wiesinger
    @s3ppo
    yes, thanks a lot i will try it :)
    Andrea Di Cesare
    @ujibang
    with upcoming 6.0 it will be easier
    Harald Wiesinger
    @s3ppo
    super cant wait for it :)
    Andrea Di Cesare
    @ujibang
    you can define a permission in acl.yml (or /acl collection) as follows:
    - role: user
  predicate: path(/coll)
  priority: 100
  mongo:
        overriddenProps: {"remoteIp": "@request.remoteIp" }
    Harald Wiesinger
    @s3ppo
    the acl method is for 6.0 ?
    or is it working actually ?
    Andrea Di Cesare
    @ujibang
    yes 6.0
    Harald Wiesinger
    @s3ppo
    ah okay :)
    Andrea Di Cesare
    @ujibang
    another more complext perssion example is 
    # allow role 'user' access /{username} with read and write filter, cannot use ?filter qparam
    - roles:
        - user
      predicate: path-template[value="/{username}"] and equals[%u, "${username}"]
      priority: 100
      mongo:
        readFilter: '{"status": "public"}'
        writeFilter: '{"status": "public"}'
        protectedProps: ["status", "user"]
        overriddenProps: {"status": '"public"', "user": "@user.userid"}
        forbiddenQueryParams: [ "filter" ]
    Harald Wiesinger
    @s3ppo
    thanks again for all your efford.. really nice progress on Restheart :)
    Andrea Di Cesare
    @ujibang
    glad you like it!
    Harald Wiesinger
    @s3ppo
    is there a variable for the logged in user available for aggregations ?
    something like %USER for the ACLs ?
    Harald Wiesinger
    @s3ppo
    is it a bug that in aggregations on the user collection the passwords are shown ? ;-)
    Andrea Di Cesare
    @ujibang
    Currently you can use in aggregation the following vars: Starting from RESTHeart v4.2.0 the following aggregation variables can be used to allow handling paging in the aggregation via default page and pagesize query parameters:
    @page the value of the page query parameter
@pagesize the value of the pagesize query parameter
@skip to be used in $skip stage, equals to (page-1)*pagesize
@limit to be used in $limit stage, equals to the value of the pagesize query parameter
    In V6 you'll have also @user and @request objects. So you could use for instance @user.property (assuming that 'property' is defined in the user document)
    There is no automatic hiding of the password in aggregations like you have in the standard GET request on users collection. The idea is that aggregations are free to be defined by the developer. Just add a project stage to hide it.
    Harald Wiesinger
    @s3ppo
    allright ... v6 will be great :)
    has all the features that are interesting for me :)
    Harald Wiesinger
    @s3ppo

    is there a way to inject javascript code into the aggregation ? something like: 

          "stages" : [
        { "$match" : { "timestamp" :  { "$gte": "(new Date((new Date()).getTime() - (3 * 24 * 60 * 60 * 1000)))" }}},
        { "$group" : { "_id" : "$hashtag",  "count" : { "$sum" : 1 } } },
        { "$sort" : { "count" : -1 } },
        { "$limit": { "$var": "@pagesize" } }
      ],
        "type" : "pipeline",
        "uri" : "hashtagslastdays"
    }
    ]

    it seems the javascript code in the " is not executed, but without the " it can not be inserted

    Andrea Di Cesare
    @ujibang
    as far as I know, for javascript you need to use mapReduce https://restheart.org/docs/aggregations/#map-reduce
    Harald Wiesinger
    @s3ppo
    @ujibang i tried your tipp with the remoteIp but it always shows the ip of the docker host.. is there something i can do ?
    Harald Wiesinger
    @s3ppo

    i tried to set some nginx variables: 

    real_ip_header X-Forwarded-For;
set_real_ip_from 172.19.0.0/16;
real_ip_recursive on;

    but it seems restheart are not using them ?

    Harald Wiesinger
    @s3ppo
            proxy_pass_request_headers      on;
        proxy_pass_request_body         on;
        proxy_http_version 1.1;
        proxy_redirect     default;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
    or this taken from stackoverflow.. but no effect :(
    Andrea Di Cesare
    @ujibang
    Hi @s3ppo this is a Docker issue. I found this moby/moby#15086
    Harald Wiesinger
    @s3ppo
    puh there is a lot of information inside.. anthing special what i should look for?
    Andrea Di Cesare
    @ujibang
    no it was just to let you know that this issue is due to docker. I don't know how to fix it.
    Harald Wiesinger
    @s3ppo
    oh okay :(
    i am unsure if its the docker.. i think its more the nginx
    Harald Wiesinger
    @s3ppo
    my neighbour helped me to create a tcp dump for this inside the docker and we found that the http headers are set correctly inside the docker:
    X-Forwarded-For: 80.123.167.xx X-Real-IP: 80.123.167.xx
    it seems reastheart are ignoring them
    Harald Wiesinger
    @s3ppo
    in other dockers like nextcloud or organizr this is working correctly, because these dockers use the client ips for fail2ban for example
    Andrea Di Cesare
    @ujibang
    ah ok I got it. You are using ngix as a reverse proxy. So for restheart the client ip is the proxy ip!
    Harald Wiesinger
    @s3ppo
    yeah exactly :)
    Andrea Di Cesare
    @ujibang
    remoteIp is valued with ExchangeAttributes.remoteIp().readAttribute(exchange)
    this is from undertow code.
    You need a custom interceptor if you want to log the value of the header X-Forwarded-For
    Harald Wiesinger
    @s3ppo
    oh okay thanks for the info. i think there will be a lot to read in the evening :)
    are the custom interceptors only available in the custom services, or are they also available for the property collection (where i can use for example the remoteIp)
    Andrea Di Cesare
    @ujibang
    yes you can intercept any service
    https://restheart.org/docs/plugins/core-plugins/#interceptors
    Andrea Di Cesare
    @ujibang
    basically to intercept a request to MongoService you implement the MongoInterceptor interface!
    Harald Wiesinger
    @s3ppo
    i am afraid this is too much java for me, but thanks anyway ;)
    Harald Wiesinger
    @s3ppo
    my goal would be not to make a own service to attach the ip.. it would be better to attach something to the normal POST method .. similar your remoteIP which is placed in the properties collection