Access Control Middleware on Query Results?

[curran]

Is there any way to create ShareDB middleware that inspects and modifies the result from a Query subscription? I'd like to make sure that "private" documents do not leak out from any queries, but I'm not sure how it can be done. Any ideas would be appreciated. Thanks!

[rkstedman]

It sounds like you want to actually modify the query results instead of just blocking certain queries? I'm not sure that's possible - but I do know you can access control the queries. For example, if you wanted to restrict a user to accessing only documents they own (userId is their own userId), you could verify the query the client is submitting matches the userId on the shareDb agent.

backend.use 'query', ({agent, collection, query}, next) ->
   if collection is 'private_docs' && query.userId != agent.custom.userId
      return next('access error')
   return next()

Does that help?

[curran]

That's interesting. Thank you for your response!

I will see if this approach can work for us.

[rkstedman]

Hey Curran, wanted to follow up - did this solve your issue?

[curran]

@rkstedman Thanks for following up! Honestly this did not really solve our issue. We have public and private documents in the same collection. We modified our queries to take access control rules into account, so the access control logic needs to be duplicated across all our queries as well as in access control middleware.

Here's an example:

import { DB_DOCUMENTS_PROJECTION } from '../../constants'
import BaseQuerySubscription from './baseQuerySubscription'

// This subscription returns public documents for a given owner
// and documents on which viewer is collaborator.
//
// `owner` is the user id for the user who owns the documents.
// `id` is the user id of the user who is viewing,
//      or empty string if there is no user authenticated.
export default ({owner, id}) => (
  BaseQuerySubscription(       
    {   
      $and: [
        {owner},
        {
          $or: [
            {isPrivate: {$ne: true}},       
            {collaborators: {$elemMatch: {id}}}
          ]
        }
      ] 
    },  
    DB_DOCUMENTS_PROJECTION
  )   
)

It would be great to eliminate the duplicated access control logic around collaborators and public/private, but we haven't found a way yet. Any ideas would be appreciated!

[curran]

Related to https://github.com/dmapper/server-query

It would be great to have a way for the client to specify a query name and parameters, then have the server fill out the full query. This would eliminate the security vulnerability that comes with allowing clients to specify arbitrary queries.

Any ideas how this could be done?

[balek]

server-query can easily be ported to ShareDB: https://github.com/balek/sharedb-server-query

[curran]

@balek very cool! Do you have a working example of it? Also, can it be used without Racer? Thank you.

[balek]

Look at the code it's very simple. To use it without Racer simply make ShareDB query in such format: { $queryName: 'some_name', $params: { ... } }. It will be caught and modified with a registered function.