incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Request object in validate_doc_update
Date Mon, 28 May 2012 15:46:24 GMT
You can achieve this with an update handler
(http://wiki.apache.org/couchdb/Document_Update_Handlers) but it could
be bypassed by a savvy user. I don't see why a validate_doc_update
function couldn't enforce this it if had access to the req object. I'm
+1.

B.

On 28 May 2012 16:06, Luca Matteis <lmatteis@gmail.com> wrote:
> Sure. For example I'm allowing my users to vote on certain "items" in
> my database. This will allow me to understand the amount of
> satisfaction of these items. I can easily validate and make sure each
> user is commenting only once, however, someone might simply create a
> new account and re-vote for that item. This defeats the purpose of the
> voting system.
> My solution would be to check based on the IP of the voter, no matter
> what user they're logged in with.
>
> Does this make sense? Thanks.
>
> On Mon, May 28, 2012 at 3:50 PM, Robert Newson <rnewson@apache.org> wrote:
>> I fear I've derailed this thread, so let's shelve the admin@127.0.0.1
>> idea for another time and thread.
>>
>> To address the original question;
>>
>> "I have a scenario where I'm building a CouchApp that needs to deny
>> certain behavior from happening based on the user's IP address.
>> Would it be good to consider this as a new feature to be implemented?"
>>
>> Being able to build richer applications within the 2-tier couchapp
>> model is a project goal so I'm generally for the proposal to expose
>> the req object in VDU (since you can access it in show and list and it
>> seems to break nothing). I suspect the full feature set required for
>> your application to not require a proxy or firewall has not been
>> spelled out in detail and, I further suspect, some of it will be
>> better done with a firewall.
>>
>> Could you expand on the 'certain behavior' that should be restricted
>> based on IP? A few examples would help.
>>
>> B.
>>
>> On 28 May 2012 14:38, Simon Metson <simon@cloudant.com> wrote:
>>> Hi,
>>>
>>>
>>> On Monday, 28 May 2012 at 14:12, Robert Newson wrote:
>>>
>>>> The other proposal might be to allow the granting of
>>>> rights by IP address, much as MySQL does. In fact, I believe this idea
>>>> is part of the Summit proposal to enhance our security model. I should
>>>> be able to grant _admin rights to a user if and only if they come from
>>>> 127.0.0.1, for example.
>>>
>>> We wrote something like this for our deployment at CERN. I thought it had been
contributed back to the trunk, but maybe it got lost along the way. I'll see if I can find
out the status of it.
>>> Cheers
>>> Simon

Mime
View raw message