You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by Benoit Chesneau <bc...@gmail.com> on 2010/08/06 13:25:10 UTC

path based authentification in rewriter

Hi all;

I've written this patch sometimes ago that add path authentification
to _rewrite handler :


http://github.com/benoitc/couchdb/commit/9c15cf8ed710db3805bd1a7d792ba53457cb9c48


So if you have a rule :

{
  "from": "/somepath",
  "to": "/path",
  "roles": ["_admin", "somerole"]
}

It will test user roles against this patch and allow the use to see the
result only if he's authorized. It handle only roles for now, but adding
usernames could be easy too.

Do you think It worth to make it upstream ? (ie commit it in trunk)

Let me know.

- benoît

Re: path based authentification in rewriter

Posted by J Chris Anderson <jc...@apache.org>.

On Aug 6, 2010, at 4:25 AM, Benoit Chesneau wrote:

> Hi all;
> 
> I've written this patch sometimes ago that add path authentification
> to _rewrite handler :
> 
> 
> http://github.com/benoitc/couchdb/commit/9c15cf8ed710db3805bd1a7d792ba53457cb9c48
> 
> 
> So if you have a rule :
> 
> {
>  "from": "/somepath",
>  "to": "/path",
>  "roles": ["_admin", "somerole"]
> }
> 
> It will test user roles against this patch and allow the use to see the
> result only if he's authorized. It handle only roles for now, but adding
> usernames could be easy too.
> 
> Do you think It worth to make it upstream ? (ie commit it in trunk)
> 

I'm wary about it this, as we don't support reader access control within a database. This is possible currently by checking for roles within the _show and _list functions. Making this easier is probably a bad idea, as then people will be much more likely to use it without understanding the implications. (Eg: you think your site is secure when just removing a host header is all it takes to replicate the entire database).

Chris

> Let me know.
> 
> - benoît