I am considering start using RestHeart, however I have not found a satisfactory answer when browsing around for the following question:
In a collection there is one attribute naming the owner of the doc (_id of the user). Given an authenticated user, how can I restrict the result to only docs belonging to that user, even if the user tries to tamper with the REST query by changing the userId?
AFAIU the solution would be to use a custom AccessManager class. So, my followup question is; if somebody already have implemented something like this and would like to share the code?
A custom AccessManager will work, however also the default SimpleAccessManager can make it by checking the filter query parameter.
The idea is having the client requesting:
GET /db/coll?filter={'userid': <the userid>}
The SimpleAccessManager can now check the filter condition to actually use the authenticated user id with the following predicate:
- role: ROLE
predicate: path-template[value="/db/coll"] and equals[%{q,filter},"{'userid':'%u'}"] and method[value="GET"]
The trick is done by the following equals predicate that checks the filter query parameter to be equal to the string {'userid': <authenticated_user_id>}
equals[%{q,filter},"{'userid':'%u'}"]