couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Goodlad <>
Subject Re: auth polishing
Date Sun, 17 Jan 2010 10:07:49 GMT
On Sun, Jan 17, 2010 at 8:52 PM, Chris Anderson <> wrote:
> I'm thinking maybe:
> _local/security:_design/foo
> where _design/foo is the name of the ddoc that contains the current
> validation function.
> local means it doesn't replicate. hmm, we also need to make sure the
> security doc can only be updated by admins (so maybe _security makes
> sense)
> That's nice and clean:
> _security/foo to go with _design/foo

I like the naming, but not the 'only be updated by admins' part. If
there were the concept of admins for individual dbs, I would be fine
with it, though.

> I have some code open in my editor: couch_db:check_is_admin()
> I'm planning to copy this and call it check_is_reader()
> So readers is a flat list of names and roles, per db.
> If the list is empty, anyone can read. If not, then only readers can
> read. A reader is someone who's name or roles matches the db readers
> list. This means a private db is just a db where the reader list has
> one member, the db-admin.
> I think this level of reader ACL is the simplest thing that could
> possibly work, and pretty flexible too.
> Everything is readable by server admins.

Where is this list stored? As a document in the database?

Perhaps it could be part of the _security/* namespace - eg _security/readers ?


View raw message