couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Rothbucher <>
Subject Re: limit view access
Date Sun, 25 May 2014 19:12:27 GMT
Hi Michael,

I don't think there is something like a Readers field Lotus Domino had (or
has) which limits a user's ability to see info on a per-document basis.
Maybe I lack creativity, but I can't think of a reliable way to limit user
access to a subset of documents (and there to a subset of info within each
doc) without either digging very deep into (custom) Erlang or use an Apache
as a reverse proxy in front of the Couch. What you could do is use a list
function which only emits documents the user is supposed to see (or rather:
emit a part of the documents the user is supposed to see). Using only the
list function kills performance, however - so you could apply the list
function to the view you already created (using startkey, etc. in the list
function also - see
Now obviously you can be hacked very easily unless you prevent access to
the view itself (e.g. by Apache Proxy-ing settings). Likewise, to prevent
Denial of Service, you should think about enforcing a startkey and endkey
being specified (either in the list function not calling getRow() unless it
is given) and/or in the Apache configs.

Hope this helps a little - and I'd love to know whether there is a more
elegant solution also ;-)


On Sun, May 25, 2014 at 4:49 PM, Michael C. Libby <
> wrote:

> Perhaps my fundamental security model is wrong, but where I am at is: I've
> got a view that leaks information and I'd like to restrict access (perhaps
> by providing default parameters server-side).
> The use case: I have docs in a database that I want to share between users.
> The users access for each doc falls into "owner", "writer", "reader" and
> "forbidden". I am tracking the users' access in the doc itself and using
> validation to prevent inappropriate updates and using shows to filter the
> access properties out of the docs (if there is a way to have a regular GET
> not include some doc properties, I'd love to know).
> The goal is to make sure that no user can see who the other users of the
> doc are. Also, they should only know about docs they have access to and
> whether they have read or write access.
> So I set up a view that links each user to the doc
> '/db/_design/docs/_view/by_user', but obviously in the default state, this
> view shows all the users and all the docs. What I'd like is a way to
> prevent users from getting results that are for a user other than
> themselves.
> Any advice?
> Thanks,
> m. libby

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message