Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5CE6F71F2 for ; Mon, 1 Aug 2011 17:20:47 +0000 (UTC) Received: (qmail 88481 invoked by uid 500); 1 Aug 2011 17:20:45 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 88428 invoked by uid 500); 1 Aug 2011 17:20:45 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 88420 invoked by uid 99); 1 Aug 2011 17:20:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Aug 2011 17:20:44 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jan.wedekind@gmail.com designates 209.85.215.52 as permitted sender) Received: from [209.85.215.52] (HELO mail-ew0-f52.google.com) (209.85.215.52) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Aug 2011 17:20:39 +0000 Received: by ewy28 with SMTP id 28so4228839ewy.11 for ; Mon, 01 Aug 2011 10:20:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=ZXuCnQCMzAyxFiytR3BVoIoT/OuUCJ19z1PLwcrGj3k=; b=OIr7Os33XqmJlw4zUgWB7p7VV6gMHcpeJUyZ/k8qmbx//yVHtsNzLlC4UTfCo7aAXt Eq7Dj48C/xBC5btt8+t8cPURs49tQTXevzSlzsObc6D/QcaYkzVkzN3C3NuwkyNRqAMY KhQ5s3dbQKKpoL3JbCmHVHd5LPLGPdVdoi8cI= Received: by 10.14.95.15 with SMTP id o15mr352402eef.114.1312219218121; Mon, 01 Aug 2011 10:20:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.14.47.74 with HTTP; Mon, 1 Aug 2011 10:19:58 -0700 (PDT) In-Reply-To: References: From: Jan Wedekind Date: Mon, 1 Aug 2011 19:19:58 +0200 Message-ID: Subject: Re: Implementing Authorization control for Self-Enrollers in a pure Couchapp To: user@couchdb.apache.org Content-Type: multipart/alternative; boundary=bcaec51476005d14ab04a974d8bc --bcaec51476005d14ab04a974d8bc Content-Type: text/plain; charset=ISO-8859-1 On Tue, Jul 19, 2011 at 02:12, Randall Leeds wrote: > > ---------- Forwarded message ---------- > > From: Alex Aitken > > Date: Thu, Jul 14, 2011 at 4:19 PM > > Subject: Implementing Authorization control for Self-Enrollers in a > > pure Couchapp > > To: dev@couchdb.apache.org > > > > > > What's the best way using CouchDB's built-in > > authentication/authorization to set up self-enrollers as user type = > > reader? I understand there's a db/_security object, but not how to > > edit it/use it/update it... And if admins are the only ones capable > > editing roles, how does a self-enrolled user get these assigned? > > Thanks for thoughts, > > Alex Aitken > > You can edit the _security object by clicking on "Security..." at the > top of the futon page for a database. You should also be able to > GET/PUT /database/_security. > > The rules for updating roles and who can change what about user > documents are actually just implemented as a validate_doc_update > function in the _users database. > Check out /_users/_design/auth. You could special case "readers" for > self-enrollment in your deployment. > I am kind of stuck at the same problem. I've looked at /_users/_design/_auth, which was quite insightful, thanks a LOT for that simple comment here. Alex, do I get correctly that you meant changing the validation functions so that users could set e.g. one specific role "reading" without throwing the error that only the admin may do that? Do you have an example for that? Many thanks, Jan --bcaec51476005d14ab04a974d8bc--