forked from croikle/octothorpe
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validate_doc_update.js
31 lines (25 loc) · 1.09 KB
/
validate_doc_update.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
function(newDoc, oldDoc, userCtx, secObj) {
if (userCtx.name === null) {
throw({unauthorized : "You must be logged in to perform that action"});
}
// creating new document
if (!oldDoc && newDoc.owner !== userCtx.name) {
throw({forbidden : "Owner field " + newDoc.owner + " must match username " + userCtx.name});
}
// thanks to couchdb guide
var unchangeable = function (field) {
if (oldDoc && toJSON(oldDoc[field]) != toJSON(newDoc[field]))
throw({forbidden : "Field can't be changed: " + field});
};
var ownerOnly = function (field) {
if (oldDoc && toJSON(oldDoc[field]) != toJSON(newDoc[field]) && userCtx.name !== oldDoc.owner)
throw({forbidden : "Field can only be changed by owner: " + field});
};
unchangeable("owner");
unchangeable("created_at");
unchangeable("profile"); // maybe not necessary. what's it for, anyway?
ownerOnly("protect");
if (oldDoc && oldDoc.protect === true && userCtx.name !== oldDoc.owner) {
throw({forbidden : "Owner has protected this document"});
}
}