Removing users from channels does not remove documents #264
Comments
|
Not a bug, but some interesting behaviors that need better documentation.
The changes feed only notifies clients of new revisions of documents, not of indirect changes like channel access being lost. In most cases if you lose access to a channel it's because of a change to a document that granted you access to it, and you'll see that change. (For example, a "chat room" document that lists the room's members and gives them access to its messages channel; if you get removed from the member list you'll get a change to the room doc telling you it's no longer accessible.)
A subtle point: read and write access to documents are independent. In fact write access is entirely governed by your sync function: unless the sync function rejects the revision, a client can modify any document. This is necessary because there are valid use cases where you should be able to write to a channel you don't have read access to — a "drop box". An example would be an email system where every user has an inbox channel that only they have access to, and you send mail by creating a document targeted at another user's inbox. But after writing this, I'm thinking that this rationale only applies to creating new documents. It doesn't seem valid to be able to update a document that isn't in any channel you have access to. Hm. I should bring this up with Chris. |
|
@jchris, any thoughts on this? Would we break any use cases by automatically rejecting updates of existing documents that the user doesn't have read access to? |
|
My gut says we shouldn't treat modifications differently - all you need is one call to requireAccess(doc.channels) The reason why is logical consistency in our APIs. Nowhere else (aside from optimizations) do we treat the first rev of a document specially. And it would be a deviation from the wysiwyg sync function API. But these are all matters of taste. It sounds like a lot of the issue here is driven by CBL keeping stuff around. Currently CBL doesn't know which channels a doc is on, so we can't drop whole channels on the client. So we may need a mechanism to send removed marks down to CBL even when it's not the doc that changed it's the access control. Definitely worth thinking about these. |
|
If there is a reasonable implementation so that CBL can be sent _removed messages for documents when the users access control changes, we should implement it. At first glance it seems like a hard problem:
I'm just not sure Sync Gateway should be sending messages for each removed document. Maybe it's clearer and easier to reason about if Sync Gateway sends lists of channels the user can (no longer) access, and trusts CBL to remove any docs which no longer match any channels. There are lots of reasons I can think users might want to drop whole channels from a CBL instance anyway, so we'd get more than just this out of tracking the matching channels in the client. The only thing this breaks is compatibility with other ecosystem members. (Do we know how CouchDB reacts to the |
CBL doesn't know what channels docs are in. That information only lives on the server. |
|
From a end-user standpoint it makes a lot of sense for the documents to be removed if the user looses access to the channel the document is on. Without this I can't really see a way to implement access control using roles. You would have to find and update all the documents affected manually, removing the user from the list of users (channels) that has access to that specific document. |
|
@waynecarter thoughts on this? we should define in spec what agreed behavior should be, and share with @amy-kurtzman |
|
@jessicacb Post beta-1 we added Document.isGone. It's scheduled to go into the spec as part of issue couchbaselabs/couchbase-lite-api#39 (which I am very behind on getting done). @jchris @snej on your comments above, is there an issue w/ this? |
|
Any updates regarding this? |
|
A lot of the changes-feed code was rewritten over the past month, but I'd have to look at the code to tell whether this behavior changed. |
|
This may be working correctly now with the rewritten changes-feed code in beta 3. @jnordberg, could you verify? |
|
Nope, same behaviour as before (tested against 79d1f7f) |
|
@jnordberg, I don't understand this comment you made:
Roles do work for access control, without having to update individual documents. If a user only had access to a doc through a role, then removing that role means the user can't access that doc anymore. The only thing missing is that the current version of that document doesn't get removed from a client that's already downloaded it. (It's kind of like the way that when your subscription to a magazine expires, the publisher doesn't come to your house and take away the back issues. :) Earlier:
Sounds like your sync function needs to validate that the user has access to the document they're updating. |
|
The problem with propagating doc removals when a user loses access to a channel is that there aren't any actual sequence numbers corresponding to them. The changes feed would need to include an entry for each document in the channel, containing the |
Yep, using channels to manage access control like @jchris pointed out earlier works great.
Wouldn't that make the product a distribution gateway and not a synchronising gateway? I would like it to work more like a bank, it lends documents to you at interest and if you don't pay up it busts in to your house and takes them back along with your furniture. 😀 The problem we are trying to solve is that in our setup users can belong to one or more companies, and when a company removes a user they want the documents to be removed as well. Do you have some idea of a workaround for that with the way the gateway currently works?
I'm not familiar with the internals of sync_gateway but couldn't you just maintain a document to channel map and a channel to user map, and when a channel is removed from a user you look up what documents that channel has and emit a event to the user? |
|
Well, the innards are a lot more complicated than that, because it has to scale to huge numbers of docs and users and everything's persistent. But the real problem is that the notion of "events" (aka "sequences") is based on changes to documents, and removing user access to a channel doesn't change the documents in the channel. So the changes sent to the user would be a different sort of event that doesn't currently exist in the gateway. |
|
Currently the client doesn't track which channels are the reason it has a On Thursday, April 3, 2014, Jens Alfke notifications@github.com wrote:
Chris Anderson @jchris |
|
Good idea, Chris. But CBL would have to keep a many-to-many relationship between docs and channels, which would add overhead. |
|
Doing this would require architectural changes. It'll take some significant thinking about design, and possibly major implementation work. Tagging as Epic. |
|
Hi! Is there a fix/workaround for that? |
|
Here are a few workaround scenarios that I put together w/ @adamcfraser. Hopefully at some point a more refined version of these will make it into our official docs. The examples center around hypothetical Sales Associates, Sales Managers, and Sales Leads, and hopefully map easily to common data models. The formatting is a bit rough since they are just sketches at this point. @jnordberg @petr-vysotskiy @tommyo @atom992 -- would love to hear feedback on what does and doesn't make sense with these examples! Scenario + Workaround #1: Sales Associate Promotion + Demotion
|
Scenario + Workaround #2: Sales lead assigned to Sales Associate and later un-assigned
|
|
|
AFAIK the solution we ended up using was very similar to workaround 1, I've since left the company but the @SafetyCulture guys might have some input, ping @dancet @tjdavey 👋 |
The difference is essentially the following:
|
ghost
added this to the 
|
Workaround 1 does not work with the current versions of software - couchbase 5.0.1, sync gateway 1.5.1 and couchbase lite 1.4.1.
Is this a bug? or has the expected behavior changed? |
|
Please ignore my previous email ... I updated the sync gateway config to have a sync function which includes a RequireAccess function for the documents current channels and the delete from the mobile device does not delete the doc from the gateway. This in co-ordination with the purge document works a treat :o) |
|
@geraldapeoples glad to hear! |
I'm building a test app to try to get my head around the channels and roles thing.
The app just has a list of documents and the sync gateway is using the default sync function.
Each user has is assigned an admin_channel with the same name as their username. And when a user creates a document it is created with 2 channels, their username and a 'admin' channel. I have also created an admin role with
admin_channels: ['admin'].So far so good, when i create new documents they get synced to all users with the admin role, and when i assign the admin role to a user their documents list get populated with all documents.
The problem is when i remove the admin role from an user, they still have all the documents (or at least they don't get notified that the documents have been removed, i.e. my live query does not get triggered) and they can still modify them and the changes propagate.
Am i missing something or is this a bug?
The text was updated successfully, but these errors were encountered: