Should user be able to filter pull replication by channels they don't have access to?

I am trying to improve the performance of our app when logging in by filtering the number of documents replicated to our client device using sync gateway channels (sync gateway enterprise v1.1.0, ios couchbase lite client v1.0.4). I found that a user can only filter the documents based on channels they have access to. So I can’t use some channels for access and others for filtering, it’s all or nothing. E.g. if I use one channel with the user id to specify the user can access this document, and assign another channel to the document based on when it was last updated so that I can filter documents by time, I found that without specifying channels to filter by the user pulls the document but when I specify the time filter the user doesn’t get the document. When I add the time filter to the list of channels the user can access then they pull the document with the filter. Is this a bug or the intended functionality?

AFAIK, the only way to filter pull replication with Sync Gateway is by specifying the channel names to pull.

Filter functions in pull replications work for CouchDB/PouchDB/Cloudant/P2P where the target has the function registered and the source specifies the filter function by it’s name when setting up the replication. But this method of filtering doesn’t work with Sync Gateway. Does that answer your question?


I wanted to know if it was intentional that you can only filter by channels that a user has access to, or if this is a bug that will be fixed in a later release. I want to be able to filter by time, but control access by different channels. I can’t realistically use time based channels for filtering if the user has to have every single possible one in their list of accessible channels. For now I’ve used a temporary solution of only filtering by month, and adding each new monthly channel to the user’s list of accessible channels when a new document is synced. Over time this will become unmanageable though. I would much rather be able to use one single channel to indicate that a user can access a document, and then assign other channels to the document to use for filtering.

On a related note, is there a way to revoke access to a channel for a user inside the sync function? That would greatly help with my issue. I saw a note about how revoking access could be negative in the documentation here:
But then it didn’t specify any function call that could actually revoke the channel access.

Yes, it’s by design that you can only filter by channels that a user has access to. However, we’re considering an enhancement that might suit your use case - Have a look, and give it a +1 if it’s something you’d like to see sooner rather than later.

On revoking access: as you know, a document grants access via the sync function. If a new revision of that document doesn’t make the same access call, the user will no longer be granted access by that document. So if your sync function includes something like this:

if (some condition) {
  access(doc.user, doc.targetChannel)

then when a revision comes in that doesn’t satisfy “some condition”, that document will no longer grant the user access to the channel.

If there were multiple documents that made the same access grant, the user wouldn’t lose access until all of those documents were updated to bypass the access grant.

Thanks for the link, I +1’ed the enhancement. It would really help use cases that aren’t really supported by couchbase and sync gateway right now.

Thanks for the revoke info too, that sort of functionality doesn’t help me so I’ll find some other way to filter data. I want a way for a newer document to revoke access for a user to an older document, but it looks like that isn’t possible.