Valve Permissions

Rule Types

You can specify permission rules for the following interactions

record

  • create triggered when a record is requested for the first time
  • write operations that change a record’s data. (PATCH & UPDATE)
  • read reading a record’s data
  • delete deleting a record
  • listen listen for other clients subscribing to a record
  • notify whether or not the client can notify of records updated directly in database

event

  • publish sending events
  • subscribe subscribing for events
  • listen listen for other clients subscribing to events

rpc

  • provide registering a client as a RPC provider
  • request making a remote procedure call

presence

  • allow query for connected authenticated clients

Variables

These variables are available for use within a permission rule

user

the authentication data for the user attempting the read or write, containing the following keys:

{
    //Boolean, false if id === 'open'
    isAuthenticated: true, //Boolean
    //the userId / username as returned by auth the auth provider
    id: 'johndoe', //String
    //optional object, containing fields like e.g. role, access level etc
    //returned by auth provider
    data: { role: 'admin' } //Object
}

Usage Example: write to record user-profile is only allowed for owner

record:
  user-profile/$username:
    write: "user.id === $username"

data

the incoming data for records, events and rpcs

Usage Example: only allow publishing of event if it has more than 50 likes

event:
  facebook-news:
    publish: "data.likes > 50"

oldData

the current data, only for records

Usage Example: Only allow bids higher than the current price

record:
  item/*:
    write: "data.bid > oldData.bid"

now

current timestamp on the server in ms

Usage Example: Only allow scheduling appointments in the future

rpc:
  schedule-appointment:
    request: "data.desiredDate > now"

action

the original action that triggered this rule (e.g. UPDATE / PATCH / LISTEN ) etc. Useful for more finegrained/low-level permissions. You can find a list of all available actions here

Usage Example: Only allow patch updates

record:
  user-profile/:
    write: "data.action === 'PATCH'"

$variableName

Variables that are extruded from the record / event / rpc name. Names can contain multiple variables. Variable names start with a dollar and are only allowed to contain uppercase letters, lowercase letters and numbers.

Usage Examples:

record:
  user-profile/$userId:
    # make sure users can only manipulate their own profile
    write: "$userId === user.id"
event:
  # Make sure the headline for `pet-news/pugs` contains the word pug
  pet-news/$pet:
    publish: "data.headline.indexOf( $pet ) !== -1"

Cross reference

_(recordName)

Only for records. Cross-references another record and makes the other record’s data available for the permission rule.

Usage Example:

record:
  car-sale/$transactionId:
    # when booking a new car sale, make sure that
    # the car that's sold exists and that its price
    # is the same or lower than what the customer is charged
    write: "_(data.carId) !== null && _(data.carId).price >= data.price"

String functions

Valve supports the following string functions

  • startsWith
  • endsWith
  • indexOf
  • match
  • toUpperCase
  • toLowerCase
  • trim

Usage Example: make sure a postcode only contains numbers

record:
    address/*:
      write: "data.postcode && data.postcode.match( /^[0-9]*$/ )"