couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Chris Anderson <jch...@apache.org>
Subject Re: path based authentification in rewriter
Date Fri, 06 Aug 2010 15:43:43 GMT

On Aug 6, 2010, at 4:25 AM, Benoit Chesneau wrote:

> Hi all;
> 
> I've written this patch sometimes ago that add path authentification
> to _rewrite handler :
> 
> 
> http://github.com/benoitc/couchdb/commit/9c15cf8ed710db3805bd1a7d792ba53457cb9c48
> 
> 
> So if you have a rule :
> 
> {
>  "from": "/somepath",
>  "to": "/path",
>  "roles": ["_admin", "somerole"]
> }
> 
> It will test user roles against this patch and allow the use to see the
> result only if he's authorized. It handle only roles for now, but adding
> usernames could be easy too.
> 
> Do you think It worth to make it upstream ? (ie commit it in trunk)
> 

I'm wary about it this, as we don't support reader access control within a database. This
is possible currently by checking for roles within the _show and _list functions. Making this
easier is probably a bad idea, as then people will be much more likely to use it without understanding
the implications. (Eg: you think your site is secure when just removing a host header is all
it takes to replicate the entire database).

Chris

> Let me know.
> 
> - benoƮt


Mime
View raw message