incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manuel Schölling <manuel.schoell...@gmx.de>
Subject Application security model
Date Sat, 19 Dec 2009 12:47:48 GMT
Hi there,

I'm just starting off with couch db.

There is something I'm wondering about: how should I implement the
authorization to access a document.

>>From an outsider's view, one would use HTTP's authorization method when
using any PUT/GET/POST/DELETE requests.
But (as I understand it correctly) this mechanism is just available for
couch db administrator accounts.

So how should I implement a web application security layer?
Is there any panacea?

On could add a security field that includes ACL data to each document.
Then any update validation, view and list must check this data against a
user id and password that must be included in the REST request.

Or should you really create one couch db admin account for each user?
(I'm referring to a web application end-user here)


Cheers,

Manuel



Mime
View raw message