couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: userCtx extra information
Date Wed, 29 Aug 2012 19:39:27 GMT
On Wed, Aug 29, 2012 at 9:24 PM, Dave Cottlehuber <dave@muse.net.nz> wrote:
> On 29 August 2012 08:21, Benoit Chesneau <bchesneau@gmail.com> wrote:
>> On Tuesday, August 28, 2012, Aliaksandr Barysiuk wrote:
>>
>>> Hello,
>>>
>>> We store some extra information in _users db and now we are looking a way
>>> to populate session.userCtx with these extra values. Is it possible at all?
>>>
>>> Thank you
>>>
>>> Alex
>>>
>>
>> user db isn't done for that. this db exists to authenticate users and only
>> that. You should better save the profiles in another db. Also there is no
>> such things like session in couchdb by itself.
>>
>>
>> benoƮt
>
> Any good reasons why we couldn't / shouldn't support something that
> eases this pain? Putting in a second db simply to store some basic
> profile info seems daft. And as others have found, you can store
> anything you like in roles.

Well I think that storing anything in a role is a bug. We shouldn't
allow that and it should be fixed. Only a list of strings is expected
in the roles member. We should enforce that.

For security reasons I don't think it's good to have more data in the
doc other than the login, roles, password and possibly anything about
permissions ( some would argue that the users db shouldn't exist at
all). You don't protect the same the access to a user doc or a a
profile doc. And the way it is designed right now  prevent any use of
this profile by others. Only the user or an admin can have access to
the doc. Which is good imo.

- benoit

Mime
View raw message