couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Samuel Newson <>
Subject Re: Enforcing creating documents using an update handler in a CouchApp
Date Sat, 01 Mar 2014 00:34:13 GMT

Nothing forces your clients to use your update handler, so you can’t enforce anything there.

In validate_doc_update you can insist that new documents (where !oldDoc) have a timestamp
field that reflects system clock time (within some delta). An update handler can add the current
time, making it easy for clients to get it right, but a client could add the current time

Rewrite handlers restrict nothing, no client is required to use them.

Shorter: The only place in couchdb where you can validate your document updates is validate_doc_update.


On 28 Feb 2014, at 21:57, Pascal Dennerly <> wrote:

> The specific problem I'm trying to solve is requiring that a creation
> timestamp is put in the document when it is created in the database. Yes
> yes, it's a fairly trivial thing that I was hoping to keep server side. But
> it does suggest that there could be other instances where you might want
> to do something similar. And it got me thinking.
> As the document being stored can't be modified in validate_doc_update I
> obviously looked to the update handler. Good if for some reason you don't
> trust the client to add the correct data.
> Rewrite handlers are good for restricting access to a design document but
> I'm not sure it will suffice to restrict updates to other documents. I
> would definitely use validate_doc_update for enforcing
> user/replication/model constraints once the data is created - it's just
> restricting access.
> I could use a proxy in front of my Couch instance - but I was hoping for
> something handled by CouchDB itself.
> On 28 February 2014 08:56, James Dingwall <>wrote:
>> Pascal Dennerly wrote:
>>> I've been struggling with how I might lock down PUT and POST to a DB so I
>>> can enforce a model. Now using an update handler would be ideal, but I'm
>>> struggling to find a way of preventing changes to documents directly.
>>> If validation_doc_update had context about the request, I could block any
>>> requests that didn't come through an update handler there.
>>> Does anyone have any ideas how to do this? Am I missing something?
>> With a proxy in front of CouchDB you can limit the HTTP verbs which will
>> be passed through therefore preventing PUTs.  To restrict POST you could
>> force everything through a _rewrite on the design document and only allow
>> POST requests when the url matches ^/<db>/_design/<ddoc>/_rewrite/<stuff>.
>> James

View raw message