Return-Path: 
 <user-return-8128-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: (qmail 17650 invoked from network); 19 Dec 2009 12:48:28 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 19 Dec 2009 12:48:28 -0000
Received: (qmail 69716 invoked by uid 500); 19 Dec 2009 12:48:27 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 69615 invoked by uid 500); 19 Dec 2009 12:48:26 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 69605 invoked by uid 99); 19 Dec 2009 12:48:26 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Dec 2009 12:48:26 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of manuel.schoelling@gmx.de
 designates 213.165.64.20 as permitted sender)
Received: from [213.165.64.20] (HELO mail.gmx.net) (213.165.64.20)
    by apache.org (qpsmtpd/0.29) with SMTP; Sat, 19 Dec 2009 12:48:16 +0000
Received: (qmail invoked by alias); 19 Dec 2009 12:47:54 -0000
Received: from unknown (EHLO [192.168.1.6]) [89.246.201.122]
  by mail.gmx.net (mp071) with SMTP; 19 Dec 2009 13:47:54 +0100
X-Authenticated: #3331236
X-Provags-ID: V01U2FsdGVkX1+vWdsmIZ2vDUDB2RQ/3P+VYCrgUDDbc1BhHRB6AI
	hnmmBIrotwnuXY
Subject: Application security model
From: Manuel =?ISO-8859-1?Q?Sch=F6lling?= <manuel.schoelling@gmx.de>
To: user@couchdb.apache.org
Content-Type: text/plain; charset="UTF-8"
Date: Sat, 19 Dec 2009 13:47:48 +0100
Message-ID: <1261226868.2415.15.camel@roadrunner>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1 
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.67
X-Virus-Checked: Checked by ClamAV on apache.org

Hi there,

I'm just starting off with couch db.

There is something I'm wondering about: how should I implement the
authorization to access a document.

>>From an outsider's view, one would use HTTP's authorization method when
using any PUT/GET/POST/DELETE requests.
But (as I understand it correctly) this mechanism is just available for
couch db administrator accounts.

So how should I implement a web application security layer?
Is there any panacea?

On could add a security field that includes ACL data to each document.
Then any update validation, view and list must check this data against a
user id and password that must be included in the REST request.

Or should you really create one couch db admin account for each user?
(I'm referring to a web application end-user here)


Cheers,

Manuel