couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: userCtx extra information
Date Wed, 29 Aug 2012 20:05:18 GMT
On Wed, Aug 29, 2012 at 9:54 PM, Gabriel Mancini
<gabriel.mancini@gmail.com> wrote:
> but can be nice have sume enable/disable behaviour for user. We could have anything once
partial updates and fetch  will be here. But it's not the case right now :)

- benoit
>
> On Wed, Aug 29, 2012 at 4:39 PM, Benoit Chesneau <bchesneau@gmail.com>wrote:
>
>> On Wed, Aug 29, 2012 at 9:24 PM, Dave Cottlehuber <dave@muse.net.nz>
>> wrote:
>> > On 29 August 2012 08:21, Benoit Chesneau <bchesneau@gmail.com> wrote:
>> >> On Tuesday, August 28, 2012, Aliaksandr Barysiuk wrote:
>> >>
>> >>> Hello,
>> >>>
>> >>> We store some extra information in _users db and now we are looking
a
>> way
>> >>> to populate session.userCtx with these extra values. Is it possible
at
>> all?
>> >>>
>> >>> Thank you
>> >>>
>> >>> Alex
>> >>>
>> >>
>> >> user db isn't done for that. this db exists to authenticate users and
>> only
>> >> that. You should better save the profiles in another db. Also there is
>> no
>> >> such things like session in couchdb by itself.
>> >>
>> >>
>> >> benoît
>> >
>> > Any good reasons why we couldn't / shouldn't support something that
>> > eases this pain? Putting in a second db simply to store some basic
>> > profile info seems daft. And as others have found, you can store
>> > anything you like in roles.
>>
>> Well I think that storing anything in a role is a bug. We shouldn't
>> allow that and it should be fixed. Only a list of strings is expected
>> in the roles member. We should enforce that.
>>
>> For security reasons I don't think it's good to have more data in the
>> doc other than the login, roles, password and possibly anything about
>> permissions ( some would argue that the users db shouldn't exist at
>> all). You don't protect the same the access to a user doc or a a
>> profile doc. And the way it is designed right now  prevent any use of
>> this profile by others. Only the user or an admin can have access to
>> the doc. Which is good imo.
>>
>> - benoit
>>
>
>
>
> --
> Gabriel Mancini de Campos
> Arquiteto de Soluções
>
> +55 (11) 9449-1706
> gabriel.mancini@gmail.com
> São Paulo - SP - Brasil

Mime
View raw message