couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: The _security object should be versioned
Date Sat, 27 Aug 2011 05:36:58 GMT
On Fri, Aug 26, 2011 at 10:17 PM, Filipe David Manana
<fdmanana@apache.org> wrote:
> On Fri, Aug 26, 2011 at 8:01 PM, Jason Smith <jhs@iriscouch.com> wrote:
>> 1. Does this require updating the replicator to update _local docs correctly?
>
> Yes
>
>> 2. Only admins can change _security. But anybody with read access can
>> change _local/*. Does couch special-case _local/security?
>
> My preference:
>
> _security would become a regular document (just a special id, which
> starts with underscore). We can still cache the latest revision in the
> db header, db updater state, whatever.
>
> This _security document (or perhaps any other starting with underscore
> in the future), would only be replicable if the replication is
> triggered by some special user with some special role (_admin,
> _server_admin, whatever).
>
> Does it sound simple and satisfies people's needs?
>

No. Abso-fucking-lutely note.

Imagine you have a phone with a CouchDB. And your friend says, "Just
replicate this photo album." But he's inserted a _security doc that
gives him permission to touch your private data. If someone said the
obvious answer is "have a validate_doc_update function," I would
obviously slap that person.

Never in no way ever should it be remotely possible to unknowingly
change authorization settings because your db accidentally slurped up
a _security doc.

>>
>> --
>> Iris Couch
>>
>
>
>
> --
> Filipe David Manana,
> fdmanana@gmail.com, fdmanana@apache.org
>
> "Reasonable men adapt themselves to the world.
>  Unreasonable men adapt the world to themselves.
>  That's why all progress depends on unreasonable men."
>

Mime
View raw message