Centralize all mutations at the model level

This commit uses a new package that I need to document. It tries to solve the long-standing debate in the Meteor community about allow/deny rules versus methods (RPC). This approach gives us both the centralized security rules of allow/deny and the white-list of allowed mutations similarly to Meteor methods. The idea to have static mutation descriptions is also inspired by Facebook's Relay/GraphQL. This will allow the development of a REST API using the high-level methods instead of the MongoDB queries to do the mapping between the HTTP requests and our collections.
2026-03-13 17:06:13 +01:00 · 2015-09-08 20:19:42 +02:00 · 2015-09-08 20:19:42 +02:00 · 45b662a1dd
commit 45b662a1dd
parent c04341f1ea
26 changed files with 395 additions and 377 deletions
--- a/models/avatars.js
+++ b/models/avatars.js
@ -0,0 +1,27 @@
+Avatars = new FS.Collection('avatars', {
+  stores: [
+    new FS.Store.GridFS('avatars'),
+  ],
+  filter: {
+    maxSize: 72000,
+    allow: {
+      contentTypes: ['image/*'],
+    },
+  },
+});
+
+function isOwner(userId, file) {
+  return userId && userId === file.userId;
+}
+
+Avatars.allow({
+  insert: isOwner,
+  update: isOwner,
+  remove: isOwner,
+  download() { return true; },
+  fetch: ['userId'],
+});
+
+Avatars.files.before.insert((userId, doc) => {
+  doc.userId = userId;
+});