couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Bonser <mister...@gmail.com>
Subject Re: Update Handlers as a safe entry point
Date Mon, 03 May 2010 21:34:54 GMT
On Mon, May 3, 2010 at 3:54 PM, Jan Lehnardt <jan@apache.org> wrote:
*snip
>> With a vhost and rewrite it would still be vulnerable to someone who
>> leaves out a Host header, wouldn't it?
>
> Agreed. vhosts & rewrite are not security devices.
>
>> Is there a reason not to add read validation functions which work
>> along the same lines as write validation functions? Aside from the
>> fact that it would complicate the view fetching code? Perhaps for
>> views the reader list is used, but for individual document requests
>> the read validation function is used?
>
> List functions are to views what show functions are to documents. If
> you need to "disguise" view results, that should happen in a "blessed"
> list function, too.
>
> Please keep poking holes into the (vague) proposal, it might turn out
> to be a bad idea :)
*snip*

So the general idea for "blessed" shows and lists is that even when
you aren't in the list of readers for the DB, you can call that
particular list or show function, and it's up to that function to
decide whether or not it gives you any results, and what those results
are?

In that case, it would be a good solution for adding security to the
_users db, wouldn't it? Make only the admin user a reader of the DB,
but have a show function that allows anyone to read the user's
profile, and perhaps a list function that allows anyone to see a list
of users, but neither of those would include the salt or hashed
password.

And then for user registration, nobody can write directly to the
_users database, but there is a "blessed" update function which allows
anyone to add a new user and allows users to modify their own profile.

-- 
Paul Bonser
http://probablyprogramming.com

Mime
View raw message