Rule Configs

Syntax

Rule configs are stored as a ".write" property on a path in the database using SET_RULE operation.

{
  <path>: {  // path can include variables like $key
    <to>: {
      <target_node>: {
        .write: <eval string to determine the write permission>
      }
    }
  }
}

Its value is an javascript eval string that will be evaluated true or false to determine users' permission on the path whenever a transaction with value write operations on the path is submitted.

Path Variables and Built-in Variables

The path can have path variables like "/transfer/$from/$to/value" to allow flexibility of rule expressions. In the same context, built-in variables are also provided by the system:

Examples

Rule configs can be set as the following examples:

{
  transfer: {
    $from: {
      $to: {
        $key: {
          value: {
            .write: "auth.addr === $from && !getValue('transfer/' + $from + '/' + $to + '/' + $key) && getValue(util.getBalancePath($from)) >= newData"
          }
        }
      }
    }
  },
  apps: {
    afan: {
      .write: "auth.addr === '0x12345678901234567890123456789012345678'",
      follow: {
        $uid: {
          .write: "auth.addr === $uid"
        }
      }
    }
  }
}

There is no ‘read’ permission in data access. It means all network participants can read your data. To secure data on specific node path, users need to encrypt the data with their own private key.

Application of Rule Configs

Permission of a value write operation (e.g. SET_VALUE) is check as follows:

When there are no rule configs on the requested path, closest ancestor's rule config is applied
If there are more than one path matched, the most specific rule config is applied
- e.g. Among a) /apps/$app_id/$service, b) /apps/afan/$service, c) /apps/afan/wonny, c) is applied.
When the value of the write operation in request is an object, the operation is granted when the permission check succeeds on every path of object. For example, SET_VALUE operation is requested on /foo/bar with value { abc: "abc_val", def: "def_val" }, it should pass the permission check on /foo/bar, /foo/bar/abc, and /foo/bar/def.
Rule config always overrides its ancestors' rule configs

PreviousRules and Owners NextOwner Configs

Last updated 3 years ago

Syntax

Rule configs are stored as a ".write" property on a path in the database using SET_RULE operation.

{
  <path>: {  // path can include variables like $key
    <to>: {
      <target_node>: {
        .write: <eval string to determine the write permission>
      }
    }
  }
}

Its value is an javascript eval string that will be evaluated true or false to determine users' permission on the path whenever a transaction with value write operations on the path is submitted.

Examples

Rule configs can be set as the following examples:

{
  transfer: {
    $from: {
      $to: {
        $key: {
          value: {
            .write: "auth.addr === $from && !getValue('transfer/' + $from + '/' + $to + '/' + $key) && getValue(util.getBalancePath($from)) >= newData"
          }
        }
      }
    }
  },
  apps: {
    afan: {
      .write: "auth.addr === '0x12345678901234567890123456789012345678'",
      follow: {
        $uid: {
          .write: "auth.addr === $uid"
        }
      }
    }
  }
}

Application of Rule Configs

Permission of a value write operation (e.g. SET_VALUE) is check as follows:

When there are no rule configs on the requested path, closest ancestor's rule config is applied

If there are more than one path matched, the most specific rule config is applied

e.g. Among a) /apps/$app_id/$service, b) /apps/afan/$service, c) /apps/afan/wonny, c) is applied.

When the value of the write operation in request is an object, the operation is granted when the permission check succeeds on every path of object. For example, SET_VALUE operation is requested on /foo/bar with value { abc: "abc_val", def: "def_val" }, it should pass the permission check on /foo/bar, /foo/bar/abc, and /foo/bar/def.

Rule config always overrides its ancestors' rule configs