From 45b662a1ddb46a0f17fab7b2383c82aa1e1620ef Mon Sep 17 00:00:00 2001
From: Maxime Quandalle <maxime@quandalle.com>
Date: Tue, 8 Sep 2015 20:19:42 +0200
Subject: Centralize all mutations at the model level

This commit uses a new package that I need to document. It tries to
solve the long-standing debate in the Meteor community about
allow/deny rules versus methods (RPC).

This approach gives us both the centralized security rules of
allow/deny and the white-list of allowed mutations similarly to Meteor
methods. The idea to have static mutation descriptions is also
inspired by Facebook's Relay/GraphQL.

This will allow the development of a REST API using the high-level
methods instead of the MongoDB queries to do the mapping between the
HTTP requests and our collections.
---
 models/avatars.js | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 models/avatars.js

(limited to 'models/avatars.js')

diff --git a/models/avatars.js b/models/avatars.js
new file mode 100644
index 00000000..53924ffb
--- /dev/null
+++ b/models/avatars.js
@@ -0,0 +1,27 @@
+Avatars = new FS.Collection('avatars', {
+  stores: [
+    new FS.Store.GridFS('avatars'),
+  ],
+  filter: {
+    maxSize: 72000,
+    allow: {
+      contentTypes: ['image/*'],
+    },
+  },
+});
+
+function isOwner(userId, file) {
+  return userId && userId === file.userId;
+}
+
+Avatars.allow({
+  insert: isOwner,
+  update: isOwner,
+  remove: isOwner,
+  download() { return true; },
+  fetch: ['userId'],
+});
+
+Avatars.files.before.insert((userId, doc) => {
+  doc.userId = userId;
+});
-- 
cgit v1.2.3-1-g7c22