incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paweł Stawicki <pawelstawi...@gmail.com>
Subject Common security pattern?
Date Sun, 03 Jan 2010 13:31:19 GMT
Hello,

I am thinking about using CouchDB in app I want to create. In CouchDB
I can get documents directly from client's browser by javaScript and
it is great, but I have some concerns. I want the app to be accessible
to everyone without need to have an account or log in (like
wikipedia). If I want everyone to have access to documents, CouchDB
has to be accessible to the whole internet. If this is the case,
everyone can even delete whole database by single HTTP query :(

It is unevitable that if DB is accessible in the internet, everyone
can edit/add/delete documents. After all, this is what I want. But I
don't want to allow deletion of whole database. Or access to another
databases on the same CouchDB server.

Even if I can prevent deletion of whole database, I can't prevent
deletion of single documents, and malicious user could delete them one
by one.

So in a nutshell, I have questions:
1. Is it possible to prevent deletion of database?
2. Is it possible to prevent deletion of documents? Or, even better...
3. ...is it possible to limit number of deleted documents for specific
IP for time unit. E.g. one document deletion per minute?

Best regards
-- 
Paweł Stawicki
http://pawelstawicki.blogspot.com
http://szczecin.jug.pl
http://www.java4people.com

Mime
View raw message