Access validation for docs and views

[Fedor Indutny <fe...@gmail.com>]

Hi everyone!

You've discussed earlier possibility of adding access validators to _design
documents, this feature it's a kind of thing that many couchdb users will be
glad to see.
The conclusion of previous discussion was that we can't add this validators,
because we actually won't be able to tell later, whether user can access
_design/view or not.

What if we could add *validate_view_**access *to _design document?
It's not only fix of problem, I've mentioned above, but also a feature:
You'll be able to allow user to access only view, without having an access
to a full document.
So, for example, views could show only *title* field of document, while *
price* field will be hidden in a document itself.

What do you think?

-- 
(Node.js, Ruby, Python, PHP developer)
Fedor Indutny

Re: Access validation for docs and views

[Fedor Indutny <fe...@gmail.com>]

I think we must discuss here, whether we can bypass this access limitation
or not.
If we can - this access limitation is useless, if not - we definitely must
review it and think about adding this to couchdb.

2010/11/9 Fedor Indutny <fe...@gmail.com>

> So I'm extending my proposal with this example:
>
> Big company's people are stored in couchdb (200 - 400 people), with
> "salary" field.
> You may create views that will show total salary or salary of each
> developers group, while not permitting to access individual salary.
> My proposal: limiting views and docs separately.
>
> 2010/11/9 Fedor Indutny <fe...@gmail.com>
>
> Yes, sorry it was not clear, but it's exactly like you're saying.
>>
>> So my proposal is:
>> Add *validate_doc_view* function in _design documents with arguments like
>> *doc, userCtx, req*.
>> Add *validate_view_access* function into _design/views/view_name with
>> arguments like *req, userCtx*.
>>
>> Example:
>> http://indutny.couchone.com/_utils/document.html?access_proposal/_design/test (admin
>> party is here, so feel free to try anything).
>>
>> So you can throw {forbidden: "some text"} in any of this callbacks, if
>> user have no access to item.
>>
>> Also for views, you can limit access to specific range for user (like in
>> example).
>>
>> 2010/11/9 Bram Neijt <bn...@gmail.com>
>>
>> I think I'm missing a part of this.
>>>
>>> If you want a user to see only part of the document, would you not
>>> create a view that only emits parts of the document?
>>>
>>> I'm new at this, so could you write up an usage example for me?
>>>
>>> Greets,
>>>
>>> Bram
>>>
>>> On Mon, Nov 8, 2010 at 5:34 PM, Fedor Indutny <fe...@gmail.com>
>>> wrote:
>>> > Hi everyone!
>>> >
>>> > You've discussed earlier possibility of adding access validators to
>>> _design
>>> > documents, this feature it's a kind of thing that many couchdb users
>>> will be
>>> > glad to see.
>>> > The conclusion of previous discussion was that we can't add this
>>> validators,
>>> > because we actually won't be able to tell later, whether user can
>>> access
>>> > _design/view or not.
>>> >
>>> > What if we could add *validate_view_**access *to _design document?
>>> > It's not only fix of problem, I've mentioned above, but also a feature:
>>> > You'll be able to allow user to access only view, without having an
>>> access
>>> > to a full document.
>>> > So, for example, views could show only *title* field of document, while
>>> *
>>> > price* field will be hidden in a document itself.
>>> >
>>> > What do you think?
>>> >
>>> > --
>>> > (Node.js, Ruby, Python, PHP developer)
>>> > Fedor Indutny
>>> >
>>>
>>
>>
>>
>> --
>> Fedor Indutny
>>
>
>
>
> --
> Fedor Indutny
>



-- 
Fedor Indutny

Re: Access validation for docs and views

[Fedor Indutny <fe...@gmail.com>]

So I'm extending my proposal with this example:

Big company's people are stored in couchdb (200 - 400 people), with "salary"
field.
You may create views that will show total salary or salary of each
developers group, while not permitting to access individual salary.
My proposal: limiting views and docs separately.

2010/11/9 Fedor Indutny <fe...@gmail.com>

> Yes, sorry it was not clear, but it's exactly like you're saying.
>
> So my proposal is:
> Add *validate_doc_view* function in _design documents with arguments like
> *doc, userCtx, req*.
> Add *validate_view_access* function into _design/views/view_name with
> arguments like *req, userCtx*.
>
> Example:
> http://indutny.couchone.com/_utils/document.html?access_proposal/_design/test (admin
> party is here, so feel free to try anything).
>
> So you can throw {forbidden: "some text"} in any of this callbacks, if user
> have no access to item.
>
> Also for views, you can limit access to specific range for user (like in
> example).
>
> 2010/11/9 Bram Neijt <bn...@gmail.com>
>
> I think I'm missing a part of this.
>>
>> If you want a user to see only part of the document, would you not
>> create a view that only emits parts of the document?
>>
>> I'm new at this, so could you write up an usage example for me?
>>
>> Greets,
>>
>> Bram
>>
>> On Mon, Nov 8, 2010 at 5:34 PM, Fedor Indutny <fe...@gmail.com>
>> wrote:
>> > Hi everyone!
>> >
>> > You've discussed earlier possibility of adding access validators to
>> _design
>> > documents, this feature it's a kind of thing that many couchdb users
>> will be
>> > glad to see.
>> > The conclusion of previous discussion was that we can't add this
>> validators,
>> > because we actually won't be able to tell later, whether user can access
>> > _design/view or not.
>> >
>> > What if we could add *validate_view_**access *to _design document?
>> > It's not only fix of problem, I've mentioned above, but also a feature:
>> > You'll be able to allow user to access only view, without having an
>> access
>> > to a full document.
>> > So, for example, views could show only *title* field of document, while
>> *
>> > price* field will be hidden in a document itself.
>> >
>> > What do you think?
>> >
>> > --
>> > (Node.js, Ruby, Python, PHP developer)
>> > Fedor Indutny
>> >
>>
>
>
>
> --
> Fedor Indutny
>



-- 
Fedor Indutny

Re: Access validation for docs and views

[Fedor Indutny <fe...@gmail.com>]

Yes, sorry it was not clear, but it's exactly like you're saying.

So my proposal is:
Add *validate_doc_view* function in _design documents with arguments like *doc,
userCtx, req*.
Add *validate_view_access* function into _design/views/view_name with
arguments like *req, userCtx*.

Example:
http://indutny.couchone.com/_utils/document.html?access_proposal/_design/test
(admin
party is here, so feel free to try anything).

So you can throw {forbidden: "some text"} in any of this callbacks, if user
have no access to item.

Also for views, you can limit access to specific range for user (like in
example).

2010/11/9 Bram Neijt <bn...@gmail.com>

> I think I'm missing a part of this.
>
> If you want a user to see only part of the document, would you not
> create a view that only emits parts of the document?
>
> I'm new at this, so could you write up an usage example for me?
>
> Greets,
>
> Bram
>
> On Mon, Nov 8, 2010 at 5:34 PM, Fedor Indutny <fe...@gmail.com>
> wrote:
> > Hi everyone!
> >
> > You've discussed earlier possibility of adding access validators to
> _design
> > documents, this feature it's a kind of thing that many couchdb users will
> be
> > glad to see.
> > The conclusion of previous discussion was that we can't add this
> validators,
> > because we actually won't be able to tell later, whether user can access
> > _design/view or not.
> >
> > What if we could add *validate_view_**access *to _design document?
> > It's not only fix of problem, I've mentioned above, but also a feature:
> > You'll be able to allow user to access only view, without having an
> access
> > to a full document.
> > So, for example, views could show only *title* field of document, while *
> > price* field will be hidden in a document itself.
> >
> > What do you think?
> >
> > --
> > (Node.js, Ruby, Python, PHP developer)
> > Fedor Indutny
> >
>



-- 
Fedor Indutny

Re: Access validation for docs and views

[Bram Neijt <bn...@gmail.com>]

I think I'm missing a part of this.

If you want a user to see only part of the document, would you not
create a view that only emits parts of the document?

I'm new at this, so could you write up an usage example for me?

Greets,

Bram

On Mon, Nov 8, 2010 at 5:34 PM, Fedor Indutny <fe...@gmail.com> wrote:
> Hi everyone!
>
> You've discussed earlier possibility of adding access validators to _design
> documents, this feature it's a kind of thing that many couchdb users will be
> glad to see.
> The conclusion of previous discussion was that we can't add this validators,
> because we actually won't be able to tell later, whether user can access
> _design/view or not.
>
> What if we could add *validate_view_**access *to _design document?
> It's not only fix of problem, I've mentioned above, but also a feature:
> You'll be able to allow user to access only view, without having an access
> to a full document.
> So, for example, views could show only *title* field of document, while *
> price* field will be hidden in a document itself.
>
> What do you think?
>
> --
> (Node.js, Ruby, Python, PHP developer)
> Fedor Indutny
>