Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D2924109AD for ; Thu, 2 Jan 2014 12:22:36 +0000 (UTC) Received: (qmail 11228 invoked by uid 500); 2 Jan 2014 12:22:29 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 11192 invoked by uid 500); 2 Jan 2014 12:22:27 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 11183 invoked by uid 99); 2 Jan 2014 12:22:25 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jan 2014 12:22:25 +0000 Received: from localhost (HELO [192.168.1.4]) (127.0.0.1) (smtp-auth username rnewson, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jan 2014 12:22:25 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: Disabling doc include From: Robert Newson In-Reply-To: <43fe89b9-4cd4-4765-b406-33b7c3f7f66b@email.android.com> Date: Thu, 2 Jan 2014 12:22:22 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <10410DFE-478D-49EC-A022-01B89E498182@apache.org> References: <52C28C30.7010809@meredrica.org> <52C291F9.80708@meredrica.org> <0C582CB4-CAA4-4BB4-A4EB-9529E177F0C9@apache.org> <43fe89b9-4cd4-4765-b406-33b7c3f7f66b@email.android.com> To: user X-Mailer: Apple Mail (2.1827) It doesn=92t achieve the same effect, though, the virtual host + url = rewriter is not an access control mechanism. You=92re still granting = database-wide read permissions to the user. B. On 2 Jan 2014, at 09:09, Florian Westreicher Bakk.techn. = wrote: > I put a design doc behind a desk record / virtual host, that should do = the trick. The user that is used by the app is read only=20 >=20 > Robert Newson wrote: >> "there=92s no notion of read-protection in CouchDB." >>=20 >> There=92s no document level read protection, but you can certainly = grant >> or deny read access to users on a per database basis. That=92s by = design >> due to the ease that information could leak out through views >> (particularly reduce views). The restrictive proxy approach is = brittle, >> it requires that you know all the URL patterns to block and keep them >> up to date when you upgrade CouchDB. It can work, it=92s just not >> awesome. >>=20 >> B. >>=20 >> . >>=20 >> On 1 Jan 2014, at 20:47, Jens Alfke wrote: >>=20 >>>=20 >>> On Dec 31, 2013, at 1:44 AM, meredrica wrote: >>>=20 >>>> I expose CouchDB directly to mobile clients and wanted to hide some=20= >>>> information from them. >>>=20 >>> You can=92t really do that; there=92s no notion of read-protection = in >> CouchDB. >>> As a workaround you can put CouchDB behind a proxy or gateway, and >> restrict the URL patterns that clients are allowed to send. >>>=20 >>> =97Jens >>>=20 >=20 > --=20 > Sent from Kaiten Mail. Please excuse my brevity.