couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giovanni Lenzi <g.le...@smileupps.com>
Subject Re: How do CouchApps fit into the CouchDB story? (Was: CouchDB Articles, Pills and Tutorials Ideas)
Date Tue, 05 May 2015 12:27:27 GMT
> _list function checks if query has user as a first-level key
Exactly!

> expensive when you have hundreds
There are many rooms for improvements with ACL at view level

> we check ACL after fetching data, not before.
isn't data fetched by getRow function? All dummy requests can be blocked
before getRow call



2015-05-05 13:20 GMT+02:00 ermouth <ermouth@gmail.com>:

> > How do you do per-doc or per-attachment ACL? Those are not core CouchDB
> features.
>
> _list function checks if query has user as a first-level key and it matches
> caller. Then list resend map result if user have permissions. So most of
> the time CPU serialize, then deserialize, then again serialize map
> response.
>
> Good when you have tenths of users – but fatally expensive when you have
> hundreds.
>
> Also this adds vulnerability since you can generate dummy requests that
> generate enormous map response. It will spend CPU since we check ACL after
> fetching data, not before.
>
> So this approach is useful, but very limited.
>
> About attachments – there is no good way exept security by obscurity, that
> is also weird.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message