couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Re: Common security pattern?
Date Sun, 03 Jan 2010 21:18:26 GMT
On Sun, Jan 3, 2010 at 1:10 PM, Nathan Stott <nrstott@gmail.com> wrote:
> If a user can access a document via Futon, he can access via the CouchDB API
> if he knows what he's doing.  The data is exposed one way or the other if
> you store it in documents that users can access.  There is no key-level
> protection on a document that I am aware of.  Correct me if I'm wrong,
> someone.
>

There is key-level write protection. There is not key-level read
protection, and there are no plans to add it.

Per document read-control turns out to be extremely non-trivial (think
about information leakage via reduce, etc) such that Lotus Notes never
even got it right.

Chris

> On Sun, Jan 3, 2010 at 2:07 PM, Sam Bisbee <sbisbee@computervip.com> wrote:
>
>> On Sun, Jan 03, 2010 at 11:40:32AM -0800, Chris Anderson wrote:
>> > I'd avoid thinking that hiding Futon provides security. Ideally users
>> > would be able to get into the data via Futon if they choose. If you
>> > structure your validation functions properly, this should be
>> > completely secure (more secure than an http-proxy based authorization
>> > model).
>>
>> This strikes me as an odd and interesting proposition (read: the good
>> kind).
>>
>> I can think of plenty of cases where I don't want users to see all the data
>> that I have related to them: ex., hashed/crypted passwords, analytics,
>> various
>> types of scores/weights, my profit margin on their purchases, etc. Allowing
>> users to inspect documents about themselves through Futon would allow them
>> to
>> see all those goodies.
>>
>> Also, I have always been of the mind that even if something doesn't
>> inherently
>> cause a security flaw, that you shouldn't give it to your users if you
>> don't
>> need to (users are too good at breaking things in ways that you don't
>> expect,
>> especially the malicious ones).
>>
>> Not that I'm not a fan of open APIs (actually, I'm a huge fan), but even
>> those
>> enforce validation/rules.
>>
>> Or were you discussing a specific use case?
>>
>> Cheers,
>>
>> --
>> Sam Bisbee
>>
>



-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message