Sync function issue: authenticated users can create documents, but cannot read them.

25 views
Skip to first unread message

Simone Scarduzio

unread,
Jul 16, 2015, 12:34:35 PM7/16/15
to mobile-c...@googlegroups.com
Hi all,

I need some help here, there's something probably simple that I'm not getting. I got external authentication working, I have the cookie set correctly and Sync GW recognizes me as a user.

My Sync function looks like this:

function(doc, oldDoc) {
  channel("public");
  if (doc.email) {
    access(doc.email, "public");
  }
}

That would mean: tag any doc with "public" channel, and when the document is a user profile (contains the email field), grant the user called like the email read access to all documents in the "public"channel. Simple right?

Let's run a simple test with curl. First write a user profile document:

curl -X PUT 'http://sync-gateway:4984/soya_sync/user...@doe.com' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en,fi;q=0.8,en-US;q=0.6' -H 'CSP: active' -H 'Content-Type: application/json' -H 'Accept: */*'  -H 'Cookie: SyncGatewaySession=15a0d78914df04947bdeedc6431e747a08eda2f4' -H 'Connection: keep-alive' -d '{"email":"jo...@doe.com"}'

All good, I get the document "user...@doe.com" created (I can see it in the UI)
Now let's try to read it:

curl 'http://sync-gateway:4984/soya_sync/user...@doe.com' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en,fi;q=0.8,en-US;q=0.6' -H 'CSP: active' -H 'Content-Type: application/json' -H 'Accept: */*'  -H 'Cookie: SyncGatewaySession=15a0d78914df04947bdeedc6431e747a08eda2f4' -H 'Connection: keep-alive'

HTTP 403 {"error":"Forbidden","reason":"forbidden"}

I can't understand why I cannot read it back :(


_Simone

Jens Alfke

unread,
Jul 16, 2015, 12:52:40 PM7/16/15
to mobile-c...@googlegroups.com

On Jul 16, 2015, at 9:04 AM, Simone Scarduzio <scar...@gmail.com> wrote:

That would mean: tag any doc with "public" channel, and when the document is a user profile (contains the email field), grant the user called like the email read access to all documents in the "public”channel.

Sync Gateway user accounts are not documents. (That’s for security reasons, among others.)

In Sync Gateway 1.1 there’s a public channel called “!” that you can use for docs that all users should have access to.

Or if you want your own custom public channel, add it to the ‘admin_channels’ JSON property when you create the user account.

—Jens
Reply all
Reply to author
Forward
0 new messages