Return-Path: X-Original-To: apmail-couchdb-marketing-archive@minotaur.apache.org Delivered-To: apmail-couchdb-marketing-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6E4D917CCF for ; Tue, 5 May 2015 12:30:14 +0000 (UTC) Received: (qmail 54113 invoked by uid 500); 5 May 2015 12:30:14 -0000 Delivered-To: apmail-couchdb-marketing-archive@couchdb.apache.org Received: (qmail 54077 invoked by uid 500); 5 May 2015 12:30:14 -0000 Mailing-List: contact marketing-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: marketing@couchdb.apache.org Delivered-To: mailing list marketing@couchdb.apache.org Received: (qmail 54066 invoked by uid 99); 5 May 2015 12:30:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2015 12:30:14 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: message received from 54.164.171.186 which is an MX secondary for marketing@couchdb.apache.org) Received: from [54.164.171.186] (HELO mx1-us-east.apache.org) (54.164.171.186) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2015 12:30:06 +0000 Received: from smtpdg94.aruba.it (smtpdg94.aruba.it [62.149.158.94]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTP id BCFB243E4C for ; Tue, 5 May 2015 12:29:45 +0000 (UTC) Received: from mail-ob0-f179.google.com ([209.85.214.179]) by smtpcmd05.ad.aruba.it with bizsmtp id QCTY1q00R3soNJx01CTZFs; Tue, 05 May 2015 14:27:35 +0200 Received: by obfe9 with SMTP id e9so136050482obf.1 for ; Tue, 05 May 2015 05:27:32 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.42.151.4 with SMTP id c4mr4559201icw.77.1430828847827; Tue, 05 May 2015 05:27:27 -0700 (PDT) Received: by 10.107.57.193 with HTTP; Tue, 5 May 2015 05:27:27 -0700 (PDT) In-Reply-To: References: <33BD4D82-787C-48D5-B963-FEEA4C0913CB@apache.org> <4209351E-F51E-4DB5-8A5F-8AB53DA21877@apache.org> <47CA7E1D-AC9D-42C3-9188-778265347F10@apache.org> Date: Tue, 5 May 2015 14:27:27 +0200 Message-ID: Subject: Re: How do CouchApps fit into the CouchDB story? (Was: CouchDB Articles, Pills and Tutorials Ideas) From: Giovanni Lenzi To: marketing@couchdb.apache.org Content-Type: multipart/alternative; boundary=90e6ba1efd82359064051554cded X-Virus-Checked: Checked by ClamAV on apache.org --90e6ba1efd82359064051554cded Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable > _list function checks if query has user as a first-level key Exactly! > expensive when you have hundreds There are many rooms for improvements with ACL at view level > we check ACL after fetching data, not before. isn't data fetched by getRow function? All dummy requests can be blocked before getRow call 2015-05-05 13:20 GMT+02:00 ermouth : > > How do you do per-doc or per-attachment ACL? Those are not core CouchDB > features. > > _list function checks if query has user as a first-level key and it match= es > caller. Then list resend map result if user have permissions. So most of > the time CPU serialize, then deserialize, then again serialize map > response. > > Good when you have tenths of users =E2=80=93 but fatally expensive when y= ou have > hundreds. > > Also this adds vulnerability since you can generate dummy requests that > generate enormous map response. It will spend CPU since we check ACL afte= r > fetching data, not before. > > So this approach is useful, but very limited. > > About attachments =E2=80=93 there is no good way exept security by obscur= ity, that > is also weird. > --90e6ba1efd82359064051554cded--