couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: doc permission mask proposal
Date Thu, 28 Apr 2011 02:58:09 GMT
On Thu, Apr 28, 2011 at 3:49 AM, Kevin Coombes
<kevin.r.coombes@gmail.com> wrote:
>
>
> On 4/27/2011 5:48 PM, Jan Lehnardt wrote:
>>
>> On 27 Apr 2011, at 15:43, Randall Leeds wrote:
>>
>>> On Wed, Apr 27, 2011 at 15:30, Jan Lehnardt<jan@apache.org>  wrote:
>>>>
>>>> On 27 Apr 2011, at 14:56, Kevin R. Coombes wrote:
>>>>
>>>>> So it would be possible to have access to a view that allows you see
a
>>>>> doc that you don't have permission to see? Or am I misinterpreting
>>>>> something?
>>>>
>>>> That was my question, but Benoit basically said "no". His approach is to
>>>> disallow access of a view that is defined in a design document that you have
>>>> no permission to read.
>>>>
>>>> Cheers
>>>> Jan
>>>
>>> I think the answer is actually "yes". If you can see the design
>>> document you can see everything the view emits, even if it came from a
>>> document you can't view.
>>
>> Hm, I was thinking that the view updater would match the design doc acl
>> against the doc acl when the view is created and exclude it if it doesn't
>> match up for reads.
>>
>> Cheers
>> Jan
>
> I think the real question is whether this puts the burden on the writer of
> the view (to make sure that he doesn't emit a document that should be
> protected) or whether Benoit's plan implies that the couch server would
> enforce the protections for you which is what I think your answer implies).
>

For me views are created by users with high privileges, so  such user
may want to allow access to any doc in a view or restricting them by
checking their uid or gid in the view function (and we can pass the
design document permissions in the view during indexation). What is
important here, is that only allowed users can use these views or any
functions under _design. This system also give more flexibility to the
view writer.

But we could also force the permissions of doc in a views by a special
design document flag or permission bit which would pass to the view
functions only doc corresponding to the design document permissions.
Such option could be interesting in environment where view creation is
allowed to low privileged users and could be enforced by a general
settings in ini.

- benoît

Mime
View raw message