search

jspears / mers

Mongoose Express Rest Service
MIT License
343 stars 42 forks source link

Filter by ObjectIds #9

Open kersten opened 11 years ago

kersten commented 11 years ago

Hello,

I have a collection where the documents are matched against a user_id. So my document looks something like this:

{
    "duration": "00:20",
    "name": "Samplename",
    "user_id": { "$oid" : "51d299b48e8ab7da3a000003" },
    "__v": 0,
    "_id": { "$oid" : "51d29c79579343a63b000003" }
}

Is there an easy way of just fetching documents where the user_id matches when I GET the documents? Filter doesn't work because you are using a RegEx which will not work with ObjectId fields.

jspears commented 11 years ago

Creating a finder is the easiest way

Sent from my iPhone

On Jul 4, 2013, at 10:08 AM, Kersten Burkhardt notifications@github.com wrote:

Hello,

I have a collection where the documents are matched against a user_id. So my document looks something like this:

{ "duration": "00:20", "name": "Samplename", "user_id": { "$oid" : "51d299b48e8ab7da3a000003" }, "__v": 0, "_id": { "$oid" : "51d29c79579343a63b000003" } }

Is there an easy way of just fetching documents where the user_id matches when I GET the documents? Filter doesn't work because you are using a RegEx which will not work with ObjectId fields.

— Reply to this email directly or view it on GitHubhttps://github.com/jspears/mers/issues/9 .

kersten commented 11 years ago

Ok, got that. But how would you implement security? You write that it should be a good place to use a transformer, but how would I get the currently logged in user? I cannot get the session object, or do I miss something?

jspears commented 11 years ago

You can use a filter and capture the user. Due to nodes threading model you can do things you wouldn't do in other frameworks. I use passport for general security it works fine. For more granular security transformers and filters should work.

Sent from my iPhone

On Jul 4, 2013, at 10:32 AM, Kersten Burkhardt notifications@github.com wrote:

Ok, got that. But how would you implement security? You write that it should be a good place to use a transformer, but how would I get the currently logged in user? I cannot get the session object, or do I miss something?

— Reply to this email directly or view it on GitHubhttps://github.com/jspears/mers/issues/9#issuecomment-20480078 .

gausie commented 11 years ago

How can you use transformers for security? Surely all the user needs to do to circumvent it is make a request and strip any transformers or filters?

jspears commented 11 years ago

well, you can override the transformers in the route preventing someone from just injecting transformers in there. req.get('/rest/api/*', function(req, res, next){

req.query.transformers = ['yourselecurity transformer']; next(); });

On Thu, Sep 19, 2013 at 1:25 PM, Samuel Gaus notifications@github.comwrote:

How can you use transformers for security? Surely all the user needs to do to circumvent it is make a request and strip any transformers or filters?

— Reply to this email directly or view it on GitHubhttps://github.com/jspears/mers/issues/9#issuecomment-24757447 .