couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ermouth <ermo...@gmail.com>
Subject Re: How do CouchApps fit into the CouchDB story? (Was: CouchDB Articles, Pills and Tutorials Ideas)
Date Tue, 05 May 2015 11:20:29 GMT
> How do you do per-doc or per-attachment ACL? Those are not core CouchDB
features.

_list function checks if query has user as a first-level key and it matches
caller. Then list resend map result if user have permissions. So most of
the time CPU serialize, then deserialize, then again serialize map response.

Good when you have tenths of users – but fatally expensive when you have
hundreds.

Also this adds vulnerability since you can generate dummy requests that
generate enormous map response. It will spend CPU since we check ACL after
fetching data, not before.

So this approach is useful, but very limited.

About attachments – there is no good way exept security by obscurity, that
is also weird.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message