why deepstreamHub? compare us getting started feature roadmap faq
use cases pricing
products

deepstream open source

the server that started it all and now drives thousands of realtime apps worldwide

deepstreamHub cloud

powerful, easy to use cloud platform combining deepstream and integrations

deepstreamHub enterprise

the full scale and featureset of deepstreamHub on premise or as private cloud
compare products
developers
api docs

Documentation for client, open source server & server SDKs

 tutorials

Learning deepstream by example

 guides

In-depth explanations of features and concepts

 integrations

Usage with other APIs, Protocols & Frameworks

 open source server

Deepstream server docs and tutorials

 benchmarking

Performance tests overview & results
company
team

meet the people behind deepstreamHub

 jobs

open positions and hiring process

 media

brand assets and media relations

 legal

imprint, terms of use, privacy and data-protection
blog contact

Valve Permissions

docs general Valve Permissions

Rule Types

You can specify permission rules for the following interactions

record

  • create triggered when a record is requested for the first time
  • write operations that change a record's data. (PATCH & UPDATE)
  • read reading a record's data
  • delete deleting a record

event

  • publish sending events
  • subscribe subscribing for events

rpc

  • provide registering a client as a RPC provider
  • request making a remote procedure call

presence

  • allow query for connected authenticated clients

Variables

These variables are available for use within a permission rule

user

the authentication data for the user attempting the read or write, containing the following keys:

{
    //Boolean, false if username === 'open'
    isAuthenticated: true, //Boolean
    //the userid / username as returned by auth the auth provider
    id: 'fdmng34-jn3j45b', //String
    //optional object, containing fields like e.g. role, access level etc
    //returned by auth provider
    data: { role: 'admin' } //Object
}

Usage Example: write to record user-profile is only allowed for owner

record:
  user-profile/$username:
    write: "user.id === $username"

data

the incoming data for records, events and rpcs

Usage Example: only allow publishing of event if it has more than 50 likes

event:
  facebook-news:
    publish: "data.likes > 50"

oldData

the current data, only for records

Usage Example: Only allow bids higher than the current price

record:
  item/*:
    write: "data.bid > oldData.bid"

now

current timestamp on the server in ms

Usage Example: Only allow scheduling appointments in the future

rpc:
  schedule-appointment:
    request: "data.desiredDate > now"

action

the original action that triggered this rule (e.g. UPDATE / PATCH ) etc. Useful for more finegrained/low-level permissions. You can find a list of all available actions used by the deepstream protocol here

Usage Example: Only allow patch updates

record:
  user-profile/:
    write: "data.action === 'PATCH'"

$variableName

Variables that are extruded from the record / event / rpc name. Names can contain multiple variables. Variable names start with a dollar and are only allowed to contain uppercase letters, lowercase letters and numbers.

Usage Examples:

record:
  user-profile/$userId:
    # make sure users can only manipulate their own profile
    write: "$userId === user.id"
event:
  # Make sure the headline for `pet-news/pugs` contains the word pug
  pet-news/$pet:
    publish: "data.headline.indexOf( $pet ) !== -1"

Cross reference

_(recordName)

Only for records. Cross-references another record and makes the other record's data available for the permission rule.

Usage Example:

record:
  car-sale/$transactionId:
    # when booking a new car sale, make sure that
    # the car that's sold exists and that its price
    # is the same or lower than what the customer is charged
    write: "_(data.carId) !== null && _(data.carId).price >= data.price"

String functions

Valve supports the following string functions

  • startsWith
  • endsWith
  • indexOf
  • match
  • toUpperCase
  • toLowerCase
  • trim

Usage Example: make sure a postcode only contains numbers

record:
    address/*:
      write: "data.postcode && data.postcode.match( /^[0-9]*$/ )"