codeninjasllc/codecombat
1
0
Fork 0
mirror of https://github.com/codeninjasllc/codecombat.git synced 2025-03-13 14:43:37 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: Permissions
Pages
Access dev database Access power user features Access url params in a view Accessing data through data attribute Add a Mongoose Model Add a collection schema Add a collection Add a form Add a route Add a view Add basic REST endpoints for a collection Add events to a view Add methods for special server endpoints Add space between elements Adventurer Home Aether Ambassador Home Archmage Home Artisan Home Artisan How To Index Autocomplete Tuning Building A Level Call server from view Change player level Chat Room Rules Chat Room Chief Artisan Level Audition Client models Coco Models Coding Guidelines for Artisans Coding Guidelines Component Authoring Guide Component Components And Systems Tabs Connect Backbone to new collection Cookbook Debug a template Dev Setup: General Information Dev Setup: Issues Dev Setup: Linux Dev Setup: Mac Dev Setup: Vagrant Dev Setup: Windows Developer organization Diplomat Home Edit page translations Editing Thang Components Educational Standards Events, subscriptions, shortcuts File system Git Policies Goals HOWTO: Create static teacher page Handle a server error Home Important Artisan Concepts Inspect a view JSON Schema Keyboard Shortcuts Level editor Make yourself admin Mission statement Multiplayer Organize a complicated template Permissions Programming Concepts Project Ideas List Referee Scripting Run dev client on prod db Sample Code Scribe Home Scripts Tab Scripts Settings Tab Show data in a view Simplify Collision Start a New Level Surface System Tasks Tab Technical overview Test client interface Test client Test server endpoint Testing Thang Component System Thang Thangs Tab Third party software and services Tome Translate page strings Treema Versioning Views World i18n Glossary es 419 i18n Glossary nb i18n Glossary ru i18n
2 Permissions
Nick Winter edited this page 2013-12-26 10:39:05 -08:00
Table of Contents

Once a user is authenticated, authorization to access and modify a document is specified based on two values: the user's permissions array and the document's permissions array. The handler for a given document type determines what can be edited based on those values.

User Permissions

Here's part of Nick's User object:

{
  "_id": "512ef4805a67a8c507000001",
  "...otherProperties...": {},
  "permissions": [
    "admin"
  ],
  "name": "Nick!",
}

For example, the Article handler indirectly checks the user's permissions array for an 'admin' value when determining what methods are allowed, and specifies which properties any user, admin or not, may edit through the handler (so as to prevent editing values such as creation date or version numbers).

Only the web server can really protect the database from unauthorized access or tampering, so if you need to make sure documents only get changed in certain ways, do it through the handler for that sort of document.

Document Permissions

Here's part of the JumpsForeverAndEver Component including its permissions:

{
  "name": "JumpsForeverAndEver",
  "...otherProperties...": {},
  "permissions": [
    {
      "access": "owner",
      "target": "512ef4805a67a8c507000001"
    },
    {
      "access": "read",
      "target": "public"
    }
  ]
}

Document permissions are an array of objects with two properties: target and access. Target is either an ObjectId or the string 'public'. Access is either 'read', 'write', or 'owner'. There must always be at least one entry whose access value is 'owner'. 'read' can access the document, 'write' can access and modify the document, and 'owner' can change the permissions of the document. That's the general rule of thumb, anyway; there are case specific exceptions. For example, users with property 'admin' are assumed to have 'write' permission at all times. The handler for a document must specify any additional special cases.

CodeCombat | Home | Blog | Forum | Teachers | Legal | Contribute