Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@couchdb.apache.org
Received-SPF: pass (nike.apache.org: domain of travis.jensen@gmail.com
 designates 209.85.210.52 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:from:date:x-google-sender-auth:message-id
         :subject:to:content-type;
        b=rw6vj+U6wcwip+1W7467LBhTbnp7ECEAcYFrnwtVp89DkCMQFWswap1f0ylnVdij8q
         HatM0x0et7azMxvtF0+tvSHNdAQWKtyPJY/GuaH9DDEs+H0ToGSAG3rgLSnhP/zys43D
         jB2xsHK3TGoqac7fEPvtIbmM1/nwjkQjqfmt0=
MIME-Version: 1.0
Sender: travis.jensen@gmail.com
From: Travis Jensen <travis@clicklock.com>
Date: Mon, 13 Jun 2011 13:37:25 -0600
Message-ID: <BANLkTikPS3EQUyOK_0m-zLTQkfPMsSVgeA@mail.gmail.com>
Subject: Handling ACLs
To: user@couchdb.apache.org
Content-Type: multipart/alternative; boundary=bcaec51a73204bb74304a59d0eff

--bcaec51a73204bb74304a59d0eff
Content-Type: text/plain; charset=ISO-8859-1

Hi, all,

I'm trying to figure out the best way to manage what can best be described
as ACLs inside of couch. The best example I've got is to think about
documents as emails. A message has an owner (the sender aka From), a list of
recipients (the To and Cc fields), and a list of blind recipients (the Bcc
field). Just like in email, everybody can see the From, To, and Cc fields.
Members of the Bcc field can only see themselves and not other Bcc
recipients.

I've trying to figure out the best method of storing this ACL information.
My original thought was to store something like this, having a validation
function test that the user exists in one of the groups:

{
  "from": "...",
  "to":   [ "...", "..." ],
  "cc":   [ "...", "..." ],
  "bcc":  [ "...", "..." ],
  "subject": "...",
  "body": "..."
}

The problem with this is that somebody in the "to" list gets to see
everybody in the "bcc" list. (Also, while it seems bad to mix meta data with
real data, my actual application will not be doing this. This entire
document is meta-data, with the real document being attached to this
meta-data).

So then I thought about using separate documents to track the ACLs, with a
pointer to the actual document. Then the "bcc" people could be separated
from the "to" and "cc" people. For example:

{
  "_id": "abcd-1234-...",
  "type": "message",
  "subject": "...",
  "body": "..."
}

{
  "type": "acl",
  "message": "abcd-1234-...",
  "to": ["...", "..."],
  "cc": ["...", "..."]
}

{
  "type": "acl",
  "message": "abcd-1234-...",
  "bcc": "..."
}

The problem there is that I need to run a query to figure out whether
somebody is allowed access to the document ("get all documents where
type="acl" and message="abcd-1234-...."). I'm fairly new to CouchDB, so I'm
not sure if that is a bad thing or not.

The final solution I thought of is to use the first document format, but
prohibit access to the document directly using GET requests (except for
replication requests). All GET access would require using a show function
that strips out the bcc's that shouldn't be seen. The problem I see with
this is that, while emails are read-only, my documents aren't actually
read-only. This means I've got to figure out how to make sure all the right
bcc people get re-inserted into the document if a "to" or "cc" updates the
document, since they can't see the bcc field.

Is there a fourth option I'm not seeing or is the second option not as bad
as I'm thinking? How would you handle this?

Thanks.

tj
-- 
*Travis Jensen*
***Product Manager*
*ClickLock
*
*
*
***travis@clicklock.com <travs@clicklock.com>*
*801 755 7362*
*http://clicklock.com
*

--bcaec51a73204bb74304a59d0eff--