couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TAE JIN KIM <snoweb...@hotmail.com>
Subject RE: Curiosity how you use CouchDB in your web env.
Date Wed, 06 Mar 2013 19:31:11 GMT
If you setup members on your database anonymous users can see the DB name
> but they can't see/edit the documents.

Are you sure about that?
According to my testing, anonymous users still can see and edit (both) the documents, even
though admin account was set up.

Thanks, 

> Date: Wed, 6 Mar 2013 14:21:04 -0500
> Subject: Re: Curiosity how you use CouchDB in your web env.
> From: Tr@visPaul.me
> To: user@couchdb.apache.org
> 
> >but still anonymous users still are able to read futon management
> page(_utils) for all of database and documents...
> 
> If you setup members on your database anonymous users can see the DB name
> but they can't see/edit the documents.
> 
> If you are concerned about users being able to access _utils in general,
> even if they don't have rights to do anything you can use a reverse proxy,
> though I can't think of any legitimate security reason too do so besides
> (hiding database names) and there may be a better approach if that is what
> you are after
> 
> For example in nginx:
> 
>  location /_utils {
>     deny all;
>  }
> 
> 
> 
> On Wed, Mar 6, 2013 at 2:11 PM, TAE JIN KIM <snowebang@hotmail.com> wrote:
> 
> > Let's suppose that you deployed your html to
> > http://127.0.0.1:5984/testdb/_design/frontend/Index.htm served by your
> > CouchDB directly.
> > How do you set up in a way that anonymous users are only able to access
> > _design/front-end, but nothing else like futon management pages(_utils)
> > Looks like you may be able to set up an account, but still anonymous users
> > still are able to read futon management page(_utils) for all of database
> > and documents...
> >
> > Thanks,
> >
> > > Date: Wed, 6 Mar 2013 12:42:28 -0600
> > > Subject: Re: Curiosity how you use CouchDB in your web env.
> > > From: rnewson@apache.org
> > > To: user@couchdb.apache.org
> > >
> > > Don't grant users access to databases you don't want them to read. :)
> > >
> > > http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
> > >
> > > B.
> > >
> > > On 6 March 2013 12:33, Mark Hahn <mark@hahnca.com> wrote:
> > > > Anyone logged in can read any document in the DB.  I have to check each
> > > > user and what they are trying to do to block illegal actions.
> > > >
> > > >
> > > > On Wed, Mar 6, 2013 at 9:51 AM, Robert Newson <rnewson@apache.org>
> > wrote:
> > > >
> > > >> "How does everyone solve the security issue?"
> > > >>
> > > >> What security problem? Only administrators can modify design
> > documents.
> > > >>
> > > >> B.
> > > >>
> > > >> On 6 March 2013 11:38, Aurélien Bénel <aurelien.benel@utt.fr>
wrote:
> > > >> > Hi,
> > > >> >
> > > >> >> just out of curiosity, would like to hear how CouchDB is
being
> > used in
> > > >> your web environment....
> > > >> >
> > > >> > We have two main setups:
> > > >> > - CouchApps,
> > > >> > - REST APIs used by heavy clients (Java or Firefox extensions)
and
> > > >> attached Web applications.
> > > >> >
> > > >> >> How does everyone solve the security issue?
> > > >> >
> > > >> > We always use CouchDB behind a reverse proxy to add LDAP
> > authentication
> > > >> and authorization when needed.
> > > >> >
> > > >> >
> > > >> > Regards,
> > > >> >
> > > >> > Aurélien
> > > >>
> >
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message