You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Wordit <wo...@gmail.com> on 2012/07/27 17:19:40 UTC

_user db security

How secure is the _user database?
Futon will only give admin users access (at least on iriscouch). That's
what l'm hoping because I want to conceal usernames, since they are email
addresses.

Is that only because Futon is accessing it in a specific way?

I somehow remember in couch 1.0 that access to _users was public. Has that
changed?

Thanks,

Marcus

Re: _user db security

Posted by Wordit <wo...@gmail.com>.

On Fri, Jul 27, 2012 at 6:58 PM, Jim Klo <ji...@sri.com> wrote:
> I  believe in 1.2.0 security to _users changed. http://wiki.apache.org/couchdb/Breaking_changes#A_users_database

Thanks Jim, this is really helpful. It means I can use the couchdb
BrowserID/FB/Twitter authentication modules and save a third layer.

Marcus

Re: _user db security

Posted by Jim Klo <ji...@sri.com>.

I  believe in 1.2.0 security to _users changed. http://wiki.apache.org/couchdb/Breaking_changes#A_users_database

authenticated users can read/update their own record only, delete is possible via update, not directly via delete (unless user is admin).

Jim Klo
Senior Software Engineer
Center for Software Engineering
SRI International
t. @nsomnac

On Jul 27, 2012, at 8:19 AM, Wordit wrote:

How secure is the _user database?
Futon will only give admin users access (at least on iriscouch). That's
what l'm hoping because I want to conceal usernames, since they are email
addresses.

Is that only because Futon is accessing it in a specific way?

I somehow remember in couch 1.0 that access to _users was public. Has that
changed?

Thanks,

Marcus