incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Curiosity how you use CouchDB in your web env.
Date Wed, 06 Mar 2013 19:24:38 GMT
You can also remove _utils from [httpd_global_handlers] but Futon is
not doing anything that an http request can't, it's *just* a UI.

B.

On 6 March 2013 13:21, Travis Paul <Tr@vispaul.me> wrote:
>>but still anonymous users still are able to read futon management
> page(_utils) for all of database and documents...
>
> If you setup members on your database anonymous users can see the DB name
> but they can't see/edit the documents.
>
> If you are concerned about users being able to access _utils in general,
> even if they don't have rights to do anything you can use a reverse proxy,
> though I can't think of any legitimate security reason too do so besides
> (hiding database names) and there may be a better approach if that is what
> you are after
>
> For example in nginx:
>
>  location /_utils {
>     deny all;
>  }
>
>
>
> On Wed, Mar 6, 2013 at 2:11 PM, TAE JIN KIM <snowebang@hotmail.com> wrote:
>
>> Let's suppose that you deployed your html to
>> http://127.0.0.1:5984/testdb/_design/frontend/Index.htm served by your
>> CouchDB directly.
>> How do you set up in a way that anonymous users are only able to access
>> _design/front-end, but nothing else like futon management pages(_utils)
>> Looks like you may be able to set up an account, but still anonymous users
>> still are able to read futon management page(_utils) for all of database
>> and documents...
>>
>> Thanks,
>>
>> > Date: Wed, 6 Mar 2013 12:42:28 -0600
>> > Subject: Re: Curiosity how you use CouchDB in your web env.
>> > From: rnewson@apache.org
>> > To: user@couchdb.apache.org
>> >
>> > Don't grant users access to databases you don't want them to read. :)
>> >
>> > http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
>> >
>> > B.
>> >
>> > On 6 March 2013 12:33, Mark Hahn <mark@hahnca.com> wrote:
>> > > Anyone logged in can read any document in the DB.  I have to check each
>> > > user and what they are trying to do to block illegal actions.
>> > >
>> > >
>> > > On Wed, Mar 6, 2013 at 9:51 AM, Robert Newson <rnewson@apache.org>
>> wrote:
>> > >
>> > >> "How does everyone solve the security issue?"
>> > >>
>> > >> What security problem? Only administrators can modify design
>> documents.
>> > >>
>> > >> B.
>> > >>
>> > >> On 6 March 2013 11:38, Aurélien Bénel <aurelien.benel@utt.fr>
wrote:
>> > >> > Hi,
>> > >> >
>> > >> >> just out of curiosity, would like to hear how CouchDB is being
>> used in
>> > >> your web environment....
>> > >> >
>> > >> > We have two main setups:
>> > >> > - CouchApps,
>> > >> > - REST APIs used by heavy clients (Java or Firefox extensions)
and
>> > >> attached Web applications.
>> > >> >
>> > >> >> How does everyone solve the security issue?
>> > >> >
>> > >> > We always use CouchDB behind a reverse proxy to add LDAP
>> authentication
>> > >> and authorization when needed.
>> > >> >
>> > >> >
>> > >> > Regards,
>> > >> >
>> > >> > Aurélien
>> > >>
>>
>>

Mime
View raw message