couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Couchdb Wiki] Update of "PerDocumentAuthorization" by BramNeijt
Date Mon, 22 Nov 2010 14:41:12 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for change notification.

The "PerDocumentAuthorization" page has been changed by BramNeijt.


  The user is authenticated using any kind of authentication method (HTTP basic auth, or otherwise)
and is considered to be identified by a single identifying string. Under the term "specific
access", this document considers three types: being able to verify existence, being able to
read the document, and being able to update the document (deleting the document is considered
an update of the document)
  = Possible solutions =
+ == Database per user ==
+ Create one database for each user and use authentication on the database for that given
user. Because views do not work across databases, you will have to replicate all needed data
between the different user databases to allow for a view to contain both private and public/other
users' data.
+ Access protection this solution implements:
+  * Update: completely, the database can be protected against other users writing into it.
+  * Verify existence: it is still possible to verify existence of a document because other
users are given either complete read possibilities or no read abilities.
+  * Read: It is possible to deny all other users access to the database
+ Limitations:
+  * Scalability: to support both readable and non-readable documents, you will have to replicate
data from on user database to another users' database.
+  * Volume: replicating data per user will probably create way to much data.
+  * Views could still work if readable documents are copied between the different user databases.
  == Smart proxy ==
  Create a smart proxy that wraps all documents with the user credentials and filters all
  Access protection this solution implements:

View raw message