incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Alfke <j...@couchbase.com>
Subject Re: limit view access
Date Sun, 25 May 2014 19:04:49 GMT

On May 25, 2014, at 7:49 AM, Michael C. Libby <michael.c.libby@gmail.com> wrote:

> The goal is to make sure that no user can see who the other users of the
> doc are. Also, they should only know about docs they have access to and
> whether they have read or write access.

CouchDB simply doesn’t have those kinds of access controls. Any user with access to a database
can see all the contents of all the documents in the database, and query all the views. You
can try to filter stuff out with show functions, but it’s trivial to work around by just
doing a GET of the document or view itself.

The only way I know of to work around this is to use external software to block access to
the REST API. The safest way is to completely block direct access to CouchDB and use a separate
app server to generate the HTML, i.e. the same approach you’d use with MySQL.

—Jens
Mime
View raw message