Storage validation improvements. Merge #73

The format is based on [keep a changelog](http://keepachangelog.com/) and this project uses [semantic versioning](http://semver.org/).

## [Unreleased]

### Fixed

- Update storage write permissions validation.

## [0.13.0] - 2017-05-29

### Added

vet:

	go vet ${GOFLAGS} ${LDFLAGS}

.PHONY: suite

suite: dbstart dbreset dbsetup test dbstop

.PHONY: test

test:

	@echo "Not yet implemented"

	go test ./tests

.PHONY: run

run: GOFLAGS := -race

hash: eaca7acd10cdfdd13ddd0fcf302c626a8b7a450c13970abbbd1fac319f02c2ad

updated: 2017-05-24T13:55:34.751285113+01:00

hash: 26c638eb537a5d88ad12fffd9cb17d69b70548e20db7938623830c129947b1e6

updated: 2017-06-01T13:50:10.856331595+01:00

imports:

- name: github.com/armon/go-metrics

  version: 97c69685293dce4c0a2d0b19535179bbc976e4d2

  - context

- name: gopkg.in/gorp.v1

  version: c87af80f3cc5036b55b83d77171e156791085e2e

testImports: []

testImports:

- name: github.com/stretchr/testify

  version: 69483b4bd14f5845b5a1e55bca19e954e827f1d0

  subpackages:

  - assert

- package: github.com/yuin/gopher-lua

- package: github.com/fatih/structs

  version: ~1.0.0

testImport:

- package: github.com/stretchr/testify

  version: ~1.1.4

		if len(d.UserId) != 0 {

			if uid, err := uuid.FromBytes(d.UserId); err != nil {

				return nil, BAD_INPUT, errors.New("Invalid user ID")

			} else if caller != uid {

			} else if caller != uuid.Nil && caller != uid {

				// If the caller is a client, only allow them to write their own data.

				return nil, BAD_INPUT, errors.New("Clients can only write their own data")

				return nil, BAD_INPUT, errors.New("A client can only write their own records")

			}

		} else if caller != uuid.Nil {

			// If the caller is a client, do not allow them to write global data.

			return nil, BAD_INPUT, errors.New("Clients cannot write global data")

			return nil, BAD_INPUT, errors.New("A client cannot write global records")

		}

		// Make this `var js interface{}` if we want to allow top-level JSON arrays.

		if len(d.Version) == 0 {

			// Simple write.

			query += " WHERE NOT EXISTS (SELECT record FROM storage WHERE user_id = $2 AND bucket = $3 AND collection = $4 AND record = $5 AND deleted_at = 0"

			// If needed use an additional clause to enforce permissions.

			if caller != uuid.Nil {

				query += " AND write = 0"

				query += " WHERE NOT EXISTS (SELECT record FROM storage WHERE user_id = $2 AND bucket = $3 AND collection = $4 AND record = $5 AND deleted_at = 0 AND write = 0)"

			}

			query += `)

			query += `

ON CONFLICT (bucket, collection, user_id, record, deleted_at)

DO UPDATE SET value = $6::BYTEA, version = $7, read = $8, write = $9, updated_at = $10`

		} else if bytes.Equal(d.Version, []byte("*")) {

		if len(key.UserId) != 0 {

			if uid, err := uuid.FromBytes(key.UserId); err != nil {

				return BAD_INPUT, errors.New("Invalid user ID")

			} else if caller != uuid.Nil && caller != uid {

				// If the caller is a client, only allow them to write their own data.

				return BAD_INPUT, errors.New("A client can only remove their own records")

			} else {

				owner = uid.Bytes()

			}

		} else if caller != uuid.Nil {

			// If the caller is a client, do not allow them to write global data.

			return BAD_INPUT, errors.New("A client cannot remove global records")

		}

		if i != 0 {