From dev-return-11105-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Fri Aug 06 15:44:15 2010 Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 52154 invoked from network); 6 Aug 2010 15:44:15 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 6 Aug 2010 15:44:15 -0000 Received: (qmail 67360 invoked by uid 500); 6 Aug 2010 15:44:14 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 67310 invoked by uid 500); 6 Aug 2010 15:44:14 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 67302 invoked by uid 99); 6 Aug 2010 15:44:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Aug 2010 15:44:13 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.212.180] (HELO mail-px0-f180.google.com) (209.85.212.180) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Aug 2010 15:44:08 +0000 Received: by pxi3 with SMTP id 3so4688253pxi.11 for ; Fri, 06 Aug 2010 08:43:47 -0700 (PDT) Received: by 10.114.103.19 with SMTP id a19mr14212924wac.81.1281109427075; Fri, 06 Aug 2010 08:43:47 -0700 (PDT) Received: from [192.168.1.102] (c-98-248-172-14.hsd1.ca.comcast.net [98.248.172.14]) by mx.google.com with ESMTPS id c10sm3050236wam.13.2010.08.06.08.43.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 06 Aug 2010 08:43:46 -0700 (PDT) Sender: J Chris Anderson Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Apple Message framework v1081) Subject: Re: path based authentification in rewriter From: J Chris Anderson In-Reply-To: Date: Fri, 6 Aug 2010 08:43:43 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <9F60E2CD-3F7F-4A1C-8233-815F8A4EE855@apache.org> References: To: dev@couchdb.apache.org X-Mailer: Apple Mail (2.1081) On Aug 6, 2010, at 4:25 AM, Benoit Chesneau wrote: > Hi all; >=20 > I've written this patch sometimes ago that add path authentification > to _rewrite handler : >=20 >=20 > = http://github.com/benoitc/couchdb/commit/9c15cf8ed710db3805bd1a7d792ba5345= 7cb9c48 >=20 >=20 > So if you have a rule : >=20 > { > "from": "/somepath", > "to": "/path", > "roles": ["_admin", "somerole"] > } >=20 > It will test user roles against this patch and allow the use to see = the > result only if he's authorized. It handle only roles for now, but = adding > usernames could be easy too. >=20 > Do you think It worth to make it upstream ? (ie commit it in trunk) >=20 I'm wary about it this, as we don't support reader access control within = a database. This is possible currently by checking for roles within the = _show and _list functions. Making this easier is probably a bad idea, as = then people will be much more likely to use it without understanding the = implications. (Eg: you think your site is secure when just removing a = host header is all it takes to replicate the entire database). Chris > Let me know. >=20 > - beno=EEt