couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vlad GURDIGA <gurd...@gmail.com>
Subject Re: Per-DB Auth Ideas and Proposal
Date Sun, 13 Sep 2009 07:48:44 GMT
I'm sorry to break the wave, but I wonder would it be practical to
have a kind of validate_doc_read.js? It would give a certain level of
consistency with the validate_doc_update.js mechanism, and we would
probably be able to have a unified security meta-data looking like:

var role = {
  editor: {
    can: {
      read: {books: true, authors: true},
      write: {books: true, authors: true},
      add: {books: true, authors: true}
    }
  }
};

var user = {

  john: {
    can: {
      read: {books: true, authors: true},
      add: {books: true, authors: true}
    },
    has: {
      role: {editor: true, administrator: true}
    }
  },

  mary: {
    can: {
      read: {authors: true},
      add: {authors: true}
    },
    has: {
      role: {editor: true}
    }
  }

};

This maybe looks a little verbose to write but feels pretty readable:

if (!user[userCtx.name].can.read.books && !user[userCtx.name].has.role.editor) {
  throw "Read access denied";
}

It would decouple security meta-data from the data itself (I'm not
saying that this would necessarily be a good thing though, let's
discuss).

What do you think?

Mime
View raw message