You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Zachary Zolton <za...@gmail.com> on 2010/04/12 21:04:14 UTC

Restricting ability to create new user account

Hi,

I would like the to configure a CouchDB server to allow only admins to
create user accounts.

Should I modify the validate_doc_update function in the _users
database's "_design/_auth" document?


Cheers,

Zach

Re: Restricting ability to create new user account

Posted by Zachary Zolton <za...@gmail.com>.

I like that approach better.

For some reason I was thinking that users could modify their own
_users doc, but I guess that would defeat role-based security... (^u^)

On Monday, April 12, 2010, J Chris Anderson <jc...@gmail.com> wrote:
>
> On Apr 12, 2010, at 12:04 PM, Zachary Zolton wrote:
>
>> Hi,
>>
>> I would like the to configure a CouchDB server to allow only admins to
>> create user accounts.
>>
>> Should I modify the validate_doc_update function in the _users
>> database's "_design/_auth" document?
>>
>
> Yes, you could do that. It should be fine. However, if you delete the users db, it will be recreated with the default validation function. (I guess this is obvious, but worth stating.)
>
> As an alternative, you could require that users have a particular role, eg: "approved" before they have access to the db(s) in question. Then anyone can create an account but only admins can give them the "approved" role.
>
>>
>> Cheers,
>>
>> Zach
>
>

Re: Restricting ability to create new user account

Posted by J Chris Anderson <jc...@gmail.com>.

On Apr 12, 2010, at 12:04 PM, Zachary Zolton wrote:

> Hi,
> 
> I would like the to configure a CouchDB server to allow only admins to
> create user accounts.
> 
> Should I modify the validate_doc_update function in the _users
> database's "_design/_auth" document?
> 

Yes, you could do that. It should be fine. However, if you delete the users db, it will be recreated with the default validation function. (I guess this is obvious, but worth stating.)

As an alternative, you could require that users have a particular role, eg: "approved" before they have access to the db(s) in question. Then anyone can create an account but only admins can give them the "approved" role.

> 
> Cheers,
> 
> Zach