couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Matteis <lmatt...@gmail.com>
Subject Re: Request object in validate_doc_update
Date Tue, 29 May 2012 06:40:57 GMT
Yes, people could get around the voting by simply using a proxy server
or logging in from somewhere else. But the idea is that it makes it
*harder* for people to vote based on their IP address.

Also there's an issue that I'm having with my Couchapp which is that
it's extremely easy for users to create new accounts,
programmatically. All they need to do is: i=0; while(1) {
put_doc_in_users_db(i++) }

I know this is also solved by putting some sort of firewall before
Couch. But these are little fixes and little things that could really
make writing couchapps a lot better.

On Tue, May 29, 2012 at 8:28 AM, Jens Alfke <jens@couchbase.com> wrote:
>
> On May 28, 2012, at 2:26 PM, Luca Matteis wrote:
>
> contained in the request), so why not give the IP address of the
> request as well? This would allow the creation of even more powerful
> Couchapps.
>
> The IP address is not very useful for what you're trying to do. Given the prevalence
of NAT (even by ISPs and cell carriers), multiple different users can appear to be at the
same IP address; and given dynamic addressing and mobile devices, a single user can appear
at multiple IP addresses over time.
>
> In other words, if you do this it will offend some of your users who will be accused
unfairly of cheating simply because they're behind a NAT, and it'll still be pretty easy for
people to hack around by just voting from home, from work, and from a cafe.
>
> Basically any system with disposable easily-created anonymous accounts will run into
issues like these. There isn't any way around them without making the accounts stickier. But
that's off-topic for this list.
>
> —Jens

Mime
View raw message