search

vsivsi / meteor-file-collection

Extends Meteor Collections to handle file data using MongoDB gridFS.
http://atmospherejs.com/vsivsi/file-collection
Other
159 stars 37 forks source link

ongoworks:security compatibility #64

Closed nickredmark closed 9 years ago

nickredmark commented 9 years ago

For security I use the ongoworks:security package: https://github.com/ongoworks/meteor-security

For some reason the pattern breaks with file collections:

@Files = new FileCollection 'files',
    resumable: true
    http: [
        method: 'get'
        path: '/:md5'
        lookup: (params, query) ->
            md5: params.md5
    ]

Files.permit(['insert']).apply()

generates the error

Error: [Unrecognized allow rule type 'transform'.]
vsivsi commented 9 years ago

File collections implement allow/deny rules differently from regular collections. They have ''insert' and 'remove' rules, but no 'update' rules (clients are always prohibited from updating directly to prevent possible invalid gridFS documents.) They also have 'write' and 'read' rules to control access to the file data itself.

From the meteor-security documentation, it appears that they've done some work to make it compatible with CollectionFS and its 'download' rule (similar to the file-collection 'read' rule). But that required extra work in meteor-security.

File-collection is significantly different from CollectionFS in that a FileCollection is a proper MongoDB gridFS collection, whereas a CollectionFS collection is just a regular MongoDB collection that sits between the app and a pluggable file store (which may be implemented as a gridFS store). The difference in these approaches may make it quite a bit of work to make meteor-security compatible with file-collection. I'm speculating, but that seems likely.

nickredmark commented 9 years ago

Makes sense, thank you