Valve Permissions

The API for Valve, deepstream's powerful permissioning mechanism.

Rule Types

You can specify permission rules for the following interactions

record

create triggered when a record is requested for the first time
write operations that change a record's data. (PATCH & UPDATE)
read reading a record's data
delete deleting a record
listen listen for other clients subscribing to a record
notify whether or not the client can notify of records updated directly in database

event

publish sending events
subscribe subscribing for events
listen listen for other clients subscribing to events

rpc

provide registering a client as a RPC provider
request making a remote procedure call

presence

allow query for connected authenticated clients

Variables

These variables are available for use within a permission rule

user

the authentication data for the user attempting the read or write, containing the following keys:

{
    //Boolean, false if id === 'open'
    isAuthenticated: true, //Boolean
    //the userId / username as returned by auth the auth provider
    id: 'johndoe', //String
    //optional object, containing fields like e.g. role, access level etc
    //returned by auth provider
    data: { role: 'admin' } //Object
}

Usage Example: write to record user-profile is only allowed for owner

record:
  user-profile/$username:
    write: "user.id === $username"

data

the incoming data for records, events and rpcs

Usage Example: only allow publishing of event if it has more than 50 likes

event:
  facebook-news:
    publish: "data.likes > 50"

oldData

the current data, only for records

Usage Example: Only allow bids higher than the current price

record:
  item/*:
    write: "data.bid > oldData.bid"

now

current timestamp on the server in ms

Usage Example: Only allow scheduling appointments in the future

rpc:
  schedule-appointment:
    request: "data.desiredDate > now"

action

the original action that triggered this rule (e.g. UPDATE / PATCH / LISTEN ) etc. Useful for more finegrained/low-level permissions. You can find a list of all available actions here

Usage Example: Only allow patch updates

record:
  user-profile/:
    write: "data.action === 'PATCH'"

$variableName

Variables that are extruded from the record / event / rpc name. Names can contain multiple variables. Variable names start with a dollar and are only allowed to contain uppercase letters, lowercase letters and numbers.

Usage Examples:

record:
  user-profile/$userId:
    # make sure users can only manipulate their own profile
    write: "$userId === user.id"
event:
  # Make sure the headline for `pet-news/pugs` contains the word pug
  pet-news/$pet:
    publish: "data.headline.indexOf( $pet ) !== -1"

Cross reference

_(recordName)

Only for records. Cross-references another record and makes the other record's data available for the permission rule.

Usage Example:

record:
  car-sale/$transactionId:
    # when booking a new car sale, make sure that
    # the car that's sold exists and that its price
    # is the same or lower than what the customer is charged
    write: "_(data.carId) !== null && _(data.carId).price >= data.price"

String functions

Valve supports the following string functions

startsWith
endsWith
indexOf
match
toUpperCase
toLowerCase
trim

Usage Example: make sure a postcode only contains numbers

record:
    address/*:
      write: "data.postcode && data.postcode.match( /^[0-9]*$/ )"

Rule Types​

record​

event​

rpc​

presence​

Variables​

user​

data​

oldData​

now​

action​

$variableName​

Cross reference​

_(recordName)​

String functions​