Adding authorizeDocumentCreator

[kpfromer]

So I am at the point where I want to set authorizeDocumentCreator to true. I have done so by adding enableDocumentScopes: true and authorizeDocumentCreator: true to the config.js file, I have also dumped the database and reseeded it. I have created a simple model object for demonstration.

'use strict';

module.exports = function (mongoose) {
    var modelName = "task";
    var Types = mongoose.Schema.Types;
    var Schema = new mongoose.Schema({
        description: {
            type: Types.String,
            required: true
        },
        complete: {
            type: Types.Boolean,
            required: true
        }
    }, { collection: modelName });

    Schema.statics = {
        collectionName:modelName,
        routeOptions: {}
    };

    return Schema;
};

When I log in and post a new task I am returned this

[
    {
        "_id": "5a061eee5cf6bb24a63a54d4",
        "description": "Hello world!",
        "complete": false,
        "scope": {
            "rootScope": [
                "user-5a061e8b51742324957e72bb"
            ]
        },
        "createdAt": "2017-11-10T21:49:34.685Z",
        "isDeleted": false
    }
]

But when I try to get the task I encounter an error!

{
    "docs": [
        {
            "error": "Insufficient document scope."
        }
    ],
    "pages": {
        "current": 1,
        "prev": 0,
        "hasPrev": false,
        "next": 2,
        "hasNext": false,
        "total": null
    },
    "items": {
        "begin": null,
        "end": null,
        "total": 1
    }
}

I don't know why I am getting "error": "Insufficient document scope." since I am using the same user account! Thanks, Kyle Pfromer

[JKHeadley]

@kpfromer The answer is the scope for your user does not contain "user-5a061e8b51742324957e72bb". When you login you can see your user's scope at the bottom of the response.

This is actually something I meant to add in earlier to appy but forgot. I just pushed an update with the appropriate functionality to add "user-{_id}" to a user's scope upon login. If you pull the latest version of appy this should work for you and you won't receive the "Insufficient scope" error.

[kpfromer]

@JKHeadley I was under the impression that all routes would automatically check for request.auth.credentials.user._id and then compare. Thanks for adding the feature.

Adding to this issue is there any way to remove the following if the user doesn't own it? It might cause issues for the frontend since it will have to remove every object that contains an Insufficient document scope error.

{
    "error": "Insufficient document scope."
}

[JKHeadley]

@kpfromer That's one of ways it could be implemented. The docs show a similar method. You can create a policy to implement it differently if you like. The default method uses scopes only.

The response objects are replaced with the error to prevent pagination issues. If you need to remove them, I would suggest creating a policy that filters out all the error objects. This was a tricky problem to deal with. I'm certainly open to any suggestions if you feel there is a better solution.

[kpfromer]

@JKHeadley How would one get what is going to return in the "doc" payload? I am trying to create an onPostHandler policy but don't know what to modify or get in the request parameter of policy achieve this functionality.

[JKHeadley]

@kpfromer you can access the response through "request.response.source", so the docs would be "request.response.source.docs".

[kpfromer]

I am using an onPostHandler policy and then I am reading the request.response.source.docs but it only returns the valid items, not the ones that have errors.

[kpfromer]

I fixed the issue, I needed to use an onPreResponse policy. At the point the policy is runned the errors are in the doc and can be removed.