Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9B352CE22 for ; Fri, 25 May 2012 11:49:27 +0000 (UTC) Received: (qmail 70171 invoked by uid 500); 25 May 2012 11:49:26 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 70012 invoked by uid 500); 25 May 2012 11:49:26 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 69997 invoked by uid 99); 25 May 2012 11:49:25 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 May 2012 11:49:25 +0000 Received: from localhost (HELO mail-yw0-f52.google.com) (127.0.0.1) (smtp-auth username rnewson, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 May 2012 11:49:24 +0000 Received: by yhpp61 with SMTP id p61so583684yhp.11 for ; Fri, 25 May 2012 04:49:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.50.179.38 with SMTP id dd6mr19710728igc.9.1337946562919; Fri, 25 May 2012 04:49:22 -0700 (PDT) Received: by 10.42.110.76 with HTTP; Fri, 25 May 2012 04:49:22 -0700 (PDT) In-Reply-To: References: Date: Fri, 25 May 2012 12:49:22 +0100 Message-ID: Subject: Re: Request object in validate_doc_update From: Robert Newson To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 I can't think of a solid objection to this idea. The result of a validate_doc_update can already vary based on the local security object. Being able to inspect not only the new document, but any other property of the request seems useful. B. On 25 May 2012 12:43, Luca Matteis wrote: > I have a scenario where I'm building a CouchApp that needs to deny > certain behavior from happening based on the user's IP address. > However, the request object isn't available in validate_doc_update() > functions. > > Would it be good to consider this as a new feature to be implemented? > This would enable people to build much more secure CouchApps, without > having to use proxies/firewalls and such. I personally think that > CouchApps are opening up a whole new paradigm for developing web-apps, > making them really easy to distribute around and to install (think of > kanso), since they only require a simple push to a Couch instance. > > So adding new security features such as this, would enable even more > apps to be built this way. > > What do you think?