couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <>
Subject Re: replication & auth
Date Tue, 26 May 2009 16:38:58 GMT
On Tue, May 26, 2009 at 9:06 AM, Wojciech Kaczmarek
<> wrote:
> Hi!
> I just observed that authentication for replication is only needed for
> design documents, anyone can replicate normal documents into a remote
> database. Is this a bug? This behaviour occurs for push replication,
> 0.9.0 code.
> Unfortunately I'm going to have a lots of push replication as the main
> source of data are offline machines which occasionally get connected
> to online nodes. I'm considering using some reverse tunnels but for
> now it'd be a PITA; so what are the exact deficiencies of push vs
> pull?

Replication is just another HTTP client, so unless you have a
validation function that blocks anonymous users from saving to your
database, anyone can push replicate. By default only admins can make a
design documents, so as long as you have a database admin setup, you
won't see untrusted users editing design docs.

Pull replication is just GET requests, so anyone who can browse your
database can replicate from it.


Chris Anderson

View raw message