couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <...@jsonified.com>
Subject Re: CouchDB: Prevent regular users from accessing Futon
Date Fri, 15 Nov 2013 09:11:06 GMT


On 14. November 2013 at 21:54:22, Hank Knight (hknight555@gmail.com) wrote:
>  
> I want to know how to block access to Futon (_utils) for CouchDB  
> users
> who are not administrators.
>  
> I create a user like this:
> curl -k -u nlbdmobz@sharklasers.com:password123 \
> -X POST https://zqzqzqz555.couchappy.com/_users \
> -d "{\"_id\": \"org.couchdb.user:${username}\",\"name\":  
> \"${username}\",\"type\": \"user\",\"roles\": [],\"password\":  
> \"${password}\"}" -H "Content-Type: application/json"
>  
> How can I keep that user from accessing Futon?

Alex’s removing _utils is 50% of the answer; it’s security by obscurity (although still
worth doing).

The most important point is to secure your database (validation docs, adding reader/member
roles etc) because any futon-like interface can be pointed to a given couch instance. Whatever
futon can do, a normal HTTP API can do.

A+
Dave


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message