incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zachary Zolton <zachary.zol...@gmail.com>
Subject Basic security help
Date Wed, 03 Nov 2010 14:58:41 GMT
Roger,

If you want folks to be able to sign up by themselves, using nothing
but a CouchApp, you must leave the _user database readable to anyone.
For certain apps--where the users' profiles are public anyways--having
the _user DB world-readable doesn't necessarily matter.

If I didn't want the _users database to be readable, I'd create a
frontend webapp (using my favorite HTTP scripting environment at the
moment) to create users via an admin account.


Cheers,

Zach

On Wed, Nov 3, 2010 at 4:07 AM,  <roger.moffatt@gmail.com> wrote:
>> To create a normal user with a role of "reader", just PUT
>> {"name":"username","roles":["reader"]....} to
>> /_users/org.couchdb.user:username
>
> OK ... but what about the password? Is there a complete example
> anywhere of this working?
>
> I managed to stumble through it all last night by logging out and then
> using the sign up process, except that when you have security on the
> _users database (which seems prudent) you don't have any rights to
> access it because you are signed out! So in order to do it, you have
> to turn security OFF, then create the users and then remember to turn
> security back on. Seems a bit crazy no?
>
> Shouldn't Futon have the ability to create normal users and shouldn't
> this be an activity restricted to administrators?
>
> I know one can argue that you can add security via a proxy, but that
> instantly makes the whole setup doubly complicated and shouldn't be
> the default option.
>
> Roger
>

Mime
View raw message