Skip to content

Constraints

dscape edited this page Mar 4, 2011 · 1 revision

Constraints

Bound parameters

When you bound parameters you sometime need to validate that they are valid. For our twitter example we would want to validate that dscape is indeed a proper :user using a regular expression. In a simpler case you might want to check that an :id is a decimal number. You can do that using the XML schema datatypes

 Request       : GET /user/dscape
 routes.xml    : <routes> 
                   <get path="user/:id">
                     <constraints>
                       <id type="integer"/>
                     </constraints>
                     <to> user#show </to>
                   </get>
                 </routes>
 Dispatches to : /static/user/dscape  (no match of type xs:integer, trying static)

Regular Expression Example:

 Request       : GET /lost-username/bill@sample.com
 routes.xml    : <routes> 
                   <get path="lost-username/:email">
                     <constraints>
                       <email 
                         type="string"  match="[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}"/>
                     </constraints>
                     <to> users#recoverUserName </to>
                   </get>
                 </routes>
 Dispatches to : /resource/users.xqy?action=recoverUserName?email=bill@sample.com

Privileges

Privilege constraints make routes visible to the user if he is part of a role with the specified permission:

 Request       : GET /list
 routes.xml    : <routes> 
                   <privileges>
                     <execute> 
                       http://marklogic.com/xdmp/privileges/admin-ui
                     </execute>
                     <uri>
                       http://marklogic.com/xdmp/triggers/
                     </uri>
                   </privileges>
                   <get path="list"> <to> article#list </to> </get>
                 </routes>
 Dispatches to : /resource/article.xqy?action=list

Many applications use the same login do all accesses to the database. Hence it might be useful to explicitly pass the username in the privilege constraints. This is how you can express this in rewrite:

 Request       : GET /list
 routes.xml    : <routes> 
                   <privileges for="user">
                     <execute> 
                       http://marklogic.com/xdmp/privileges/xdmp-eval
                     </execute>
                   </privileges>
                   <get path="list"> <to> article#list </to> </get>
                 </routes>
 Dispatches to : /resource/article.xqy?action=list

While very flexible this also means your routes.xml is no longer static. You will have to pass the current user every time a request comes.

Lambdas

The most flexible way of ensuring constraints is to run an XQuery lambda function. An example usage for a lambda in a constraint would be "only show the user information that pertains to the currently logged-in user"

 Request       : GET /user/admin
 routes.xml    : <routes> 
                   <get path="user/:id">
                     <lambda>
                       xdmp:get-current-user() = $id
                     </lamda>
                     <to> user#get </to>
                   </get>
                 </routes>
 Dispatches to : /resource/user.xqy?action=get&id=admin

The bound parameters will be available in the lambda as an xs:string external variable; e.g. :id will be available as $id.

Something went wrong with that request. Please try again.