Return-Path: 
 <user-return-4536-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: (qmail 10998 invoked from network); 23 Apr 2009 20:11:20 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 23 Apr 2009 20:11:20 -0000
Received: (qmail 49112 invoked by uid 500); 23 Apr 2009 20:11:13 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 49030 invoked by uid 500); 23 Apr 2009 20:11:12 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 49020 invoked by uid 99); 23 Apr 2009 20:11:12 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Apr 2009 20:11:12 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [209.85.198.237] (HELO rv-out-0506.google.com) (209.85.198.237)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Apr 2009 20:11:06 +0000
Received: by rv-out-0506.google.com with SMTP id g37so541342rvb.35
        for <user@couchdb.apache.org>; Thu, 23 Apr 2009 13:10:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.223.4 with SMTP id v4mr462037wfg.11.1240517444430;
 Thu, 23
	Apr 2009 13:10:44 -0700 (PDT)
In-Reply-To: <46aeb24f0904231014u6cc5adadx4900ffb43b66a819@mail.gmail.com>
References: <1d3db2990904230838r34a4c060t5ae305e67145a285@mail.gmail.com>
	 <46aeb24f0904230933u1a9bad32r9dfdb073c768a11a@mail.gmail.com>
	 <1d3db2990904230959q24530cbat420cee8688f53490@mail.gmail.com>
	 <46aeb24f0904231014u6cc5adadx4900ffb43b66a819@mail.gmail.com>
Date: Thu, 23 Apr 2009 13:10:44 -0700
Message-ID: <1d3db2990904231310i4716a023sdcd4b5287a33e08@mail.gmail.com>
Subject: Re: how to do http request within server-side _show or _view
	functions?
From: Samuel Wan <sam@samuelwan.com>
To: user@couchdb.apache.org
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

Thanks Robert. I realized I jumped too far ahead and I'm asking the
wrong question. At what point should a developer write middleware for
authentication and authorization instead of relying on CouchDB's
facilities?

Authentication:
If authentication is enabled on CouchDB, the user submits
username/password at the basic auth prompt. These credentials go to
the authentication_handler specified by the default.ini file. If you
store credentials as CouchDB documents, could you theoretically use
the null_authentication_handler to allow all requests, and then use
validate_doc_update to authenticate the userCtx object against
credential documents in the database? Is this not possible because
HTTP requests aren't supported on the server?

Authorization:
If you store permissions as CouchDB documents, how would you use
validate_doc_update to compare userCtx or newDoc against the stored
permissions document?  The validate_doc_update function cannot make a
separate HTTP request to retrieve another permissions document stored
in CouchDB.

I'm basing these questions on the technical overview page
(http://couchdb.apache.org/docs/overview.html), which says: "A basic
=93author only=94 update document model is trivial to implement, where
document updates are validated to check if the user is listed in an
=93author=94 field in the existing document. More dynamic models are also
possible, like checking a separate user account profile for permission
settings."

The security_validation.js test will check an "author" document
property for authorization, but the test seems to presume that the
user has already been authenticated because the validate_doc_update
function expects a userCtx object. The tests don't hint at how more
dynamic models are possible.

Any hints would be greatly appreciated.

-Sam

On Thu, Apr 23, 2009 at 10:14 AM, Robert Newson <robert.newson@gmail.com> w=
rote:
> I think the same rule applies, you should use the parameters supplied,
> and only those, to implement your validate function.
>
> You have the old document, the new document and the user context
> object to play with, it sounds like that's enough for your case
> anyway?
>
> B.
>
> On Thu, Apr 23, 2009 at 5:59 PM, Samuel Wan <sam@samuelwan.com> wrote:
>> Thanks. What about validate_doc_update? My goal was to check a hashed
>> key in the document submitted by a user by comparing the key with a
>> stored document when the validate_doc_update is called.
>>
>> -Sam
>>
>> On Thu, Apr 23, 2009 at 9:33 AM, Robert Newson <robert.newson@gmail.com>=
 wrote:
>>> I was just reading this (at
>>> http://wiki.apache.org/couchdb/Formatting_with_Show_and_List);
>>>
>>> "Show and list functions are side effect free and idempotent. *They
>>> can not make additional HTTP requests against CouchDB*. Their purpose
>>> is to render JSON documents in other formats."
>>>
>>> So they can't, and it's intentional.
>>>
>>> B.
>>>
>>> On Thu, Apr 23, 2009 at 4:38 PM, Samuel Wan <sam@samuelwan.com> wrote:
>>>> Is there a way to do an http request within the server-side _show or
>>>> _view functions, or is the JS context limited to what's defined by
>>>> Spidermonkey and main.js? My understanding is that Spidermonkey
>>>> doesn't provide an xmlhttprequest object.
>>>>
>>>> Also, does CouchDB ship with an interactive javascript shell, or do
>>>> you have to build and install your own? I found the couchjs
>>>> executable, but it only interprets javascript files.
>>>>
>>>> -Sam
>>>>
>>>
>>
>