incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <d...@muse.net.nz>
Subject Re: How do non-admin users get roles in a couchapp?
Date Fri, 17 Aug 2012 07:58:50 GMT
On 17 August 2012 00:47, Pete Vander Giessen <petevg@gmail.com> wrote:
> Hi All,
>
> I've got a couch 1.2 question:
>
> With the updated _user db security, non-admin users cannot update
> their own roles. Which makes lots of sense, from a security
> perspective :-)
>
> My question is, what is the most "couchy" ("relaxing?") way to handle
> a situation where a user signs up for an account in some couchapp, and
> wants to get access to a database that is part of that couchapp?
> (We're assuming that we, as the admin, also want the user to have
> access.)
>
> Is the "right" answer to code some external process, running with
> admin permissions, that can handle the users' request for access to
> the db? Or is there something fancy that can be done with
> validate_doc_updates on the _user database, or similar, so that we can
> code up the entire application as a couchapp?

User DB roles are stored on a special JSON object /db/_security/ but
validate_doc_updates only get access to the current doc and the new doc version,
so that's not an option.

I'd be interested to see what other options are proposed for this, but
I'd use the changes feed on _users while connected as an admin. This
seems the most sensible to me:

GET /_users/_changes?feed=continuous&since=3&include_docs=true HTTP/1.1
Accept: application/json
Accept-Encoding: identity, deflate, compress, gzip
Authorization: Basic YWRtaW46cGFzc3dk
Host: localhost:5984
User-Agent: HTTPie/0.2.7


HTTP/1.1 200 OK
Cache-Control: must-revalidate
Content-Type: application/json
Date: Fri, 17 Aug 2012 07:48:22 GMT
Server: CouchDB/1.3.0a- (Erlang OTP/R15B01)
Transfer-Encoding: chunked

{
    "seq": 4,
    "id": "org.couchdb.user:wibble",
    "changes": [{
        "rev": "1-717a276549e9654a3a3c88b613d08d2e"
    }],
    "doc": {
        "_id": "org.couchdb.user:wibble",
        "_rev": "1-717a276549e9654a3a3c88b613d08d2e",
        "password_scheme": "pbkdf2",
        "iterations": 10000,
        "name": "wibble",
        "roles": [],
        "type": "user",
        "derived_key": "7b10d2e71661cc84b3886405f96d9b9cf32848b6",
        "salt": "3086d8b2cf674e109b277eb1173d83da"
    }
}

I'd likely do this as an external handler so couchdb ensures that it's
always running when CouchDB is:

http://couchdb.readthedocs.org/en/latest/1.1/other.html?highlight=os_daemons
& some more details http://davispj.com/2010/09/26/new-couchdb-externals-api.html

> Again, this is specifically for couch 1.2 -- I know that old versions
> of couch were a bit more liberal with who got to write to the users db
> ...
>
> Thank you for you time,
>
> ~PeteVG
>
> "The problem with Internet quotations is that many are not genuine."
> ~ Abraham Lincoln

nice.

"Wise men create proverbs, only fools repeat them."
~ Dave Cottlehuber circa 1990AD

Mime
View raw message