diff options
| author | Maxime Quandalle <maxime@quandalle.com> | 2015-09-08 20:19:42 +0200 |
|---|---|---|
| committer | Maxime Quandalle <maxime@quandalle.com> | 2015-09-08 20:19:42 +0200 |
| commit | 45b662a1ddb46a0f17fab7b2383c82aa1e1620ef (patch) | |
| tree | cc7be215c7e7ebffd2597df70cf271b3dd435e1a /collections/avatars.js | |
| parent | c04341f1ea5efe082bf7318cf9eb0e99b9b8374a (diff) | |
| download | wekan-45b662a1ddb46a0f17fab7b2383c82aa1e1620ef.tar.gz wekan-45b662a1ddb46a0f17fab7b2383c82aa1e1620ef.tar.bz2 wekan-45b662a1ddb46a0f17fab7b2383c82aa1e1620ef.zip | |
Centralize all mutations at the model level
This commit uses a new package that I need to document. It tries to
solve the long-standing debate in the Meteor community about
allow/deny rules versus methods (RPC).
This approach gives us both the centralized security rules of
allow/deny and the white-list of allowed mutations similarly to Meteor
methods. The idea to have static mutation descriptions is also
inspired by Facebook's Relay/GraphQL.
This will allow the development of a REST API using the high-level
methods instead of the MongoDB queries to do the mapping between the
HTTP requests and our collections.
Diffstat (limited to 'collections/avatars.js')
| -rw-r--r-- | collections/avatars.js | 27 |
1 files changed, 0 insertions, 27 deletions
diff --git a/collections/avatars.js b/collections/avatars.js deleted file mode 100644 index 53924ffb..00000000 --- a/collections/avatars.js +++ /dev/null @@ -1,27 +0,0 @@ -Avatars = new FS.Collection('avatars', { - stores: [ - new FS.Store.GridFS('avatars'), - ], - filter: { - maxSize: 72000, - allow: { - contentTypes: ['image/*'], - }, - }, -}); - -function isOwner(userId, file) { - return userId && userId === file.userId; -} - -Avatars.allow({ - insert: isOwner, - update: isOwner, - remove: isOwner, - download() { return true; }, - fetch: ['userId'], -}); - -Avatars.files.before.insert((userId, doc) => { - doc.userId = userId; -}); |