incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joan Touzet <jo...@lrtw.org>
Subject Re: limit view access
Date Sun, 25 May 2014 18:09:53 GMT
Hi Michael,

Natively, CouchDB cannot provide this functionality. The canonical answer
is to use a proxy in front of CouchDB that can limit access to certain
URLs, or to deploy a middleware layer written in your favourite language
that can broker the access.

Best regards,
Joan

----- Original Message -----
From: "Michael C. Libby" <michael.c.libby@gmail.com>
To: user@couchdb.apache.org
Sent: Sunday, May 25, 2014 10:49:38 AM
Subject: limit view access

Perhaps my fundamental security model is wrong, but where I am at is: I've
got a view that leaks information and I'd like to restrict access (perhaps
by providing default parameters server-side).

The use case: I have docs in a database that I want to share between users.
The users access for each doc falls into "owner", "writer", "reader" and
"forbidden". I am tracking the users' access in the doc itself and using
validation to prevent inappropriate updates and using shows to filter the
access properties out of the docs (if there is a way to have a regular GET
not include some doc properties, I'd love to know).

The goal is to make sure that no user can see who the other users of the
doc are. Also, they should only know about docs they have access to and
whether they have read or write access.

So I set up a view that links each user to the doc
'/db/_design/docs/_view/by_user', but obviously in the default state, this
view shows all the users and all the docs. What I'd like is a way to
prevent users from getting results that are for a user other than
themselves.

Any advice?

Thanks,
m. libby

Mime
View raw message