couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis Paul ...@visPaul.me>
Subject Re: Curiosity how you use CouchDB in your web env.
Date Wed, 06 Mar 2013 19:21:04 GMT
>but still anonymous users still are able to read futon management
page(_utils) for all of database and documents...

If you setup members on your database anonymous users can see the DB name
but they can't see/edit the documents.

If you are concerned about users being able to access _utils in general,
even if they don't have rights to do anything you can use a reverse proxy,
though I can't think of any legitimate security reason too do so besides
(hiding database names) and there may be a better approach if that is what
you are after

For example in nginx:

 location /_utils {
    deny all;
 }



On Wed, Mar 6, 2013 at 2:11 PM, TAE JIN KIM <snowebang@hotmail.com> wrote:

> Let's suppose that you deployed your html to
> http://127.0.0.1:5984/testdb/_design/frontend/Index.htm served by your
> CouchDB directly.
> How do you set up in a way that anonymous users are only able to access
> _design/front-end, but nothing else like futon management pages(_utils)
> Looks like you may be able to set up an account, but still anonymous users
> still are able to read futon management page(_utils) for all of database
> and documents...
>
> Thanks,
>
> > Date: Wed, 6 Mar 2013 12:42:28 -0600
> > Subject: Re: Curiosity how you use CouchDB in your web env.
> > From: rnewson@apache.org
> > To: user@couchdb.apache.org
> >
> > Don't grant users access to databases you don't want them to read. :)
> >
> > http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
> >
> > B.
> >
> > On 6 March 2013 12:33, Mark Hahn <mark@hahnca.com> wrote:
> > > Anyone logged in can read any document in the DB.  I have to check each
> > > user and what they are trying to do to block illegal actions.
> > >
> > >
> > > On Wed, Mar 6, 2013 at 9:51 AM, Robert Newson <rnewson@apache.org>
> wrote:
> > >
> > >> "How does everyone solve the security issue?"
> > >>
> > >> What security problem? Only administrators can modify design
> documents.
> > >>
> > >> B.
> > >>
> > >> On 6 March 2013 11:38, Aurélien Bénel <aurelien.benel@utt.fr> wrote:
> > >> > Hi,
> > >> >
> > >> >> just out of curiosity, would like to hear how CouchDB is being
> used in
> > >> your web environment....
> > >> >
> > >> > We have two main setups:
> > >> > - CouchApps,
> > >> > - REST APIs used by heavy clients (Java or Firefox extensions) and
> > >> attached Web applications.
> > >> >
> > >> >> How does everyone solve the security issue?
> > >> >
> > >> > We always use CouchDB behind a reverse proxy to add LDAP
> authentication
> > >> and authorization when needed.
> > >> >
> > >> >
> > >> > Regards,
> > >> >
> > >> > Aurélien
> > >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message