You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Wordit <wo...@gmail.com> on 2012/09/08 10:32:13 UTC

Allowing access only to authenticated users

Is there a way of allowing access only to authenticated users?
The only default role is "_admin" according to the docs I could find.
There's no "_user" role, meaning anyone in the _users db, is there?

I'd rather not have the data completely public, only accessible to
signed-up users. People in the "_users" database.

Adding each individual user who signs up to a custom role "users"
doesn't sound like a good way to achieve this. Or is the only way? Any
suggestions?

Thanks,

Marcus

Re: Allowing access only to authenticated users

Posted by Wordit <wo...@gmail.com>.

On Sun, Sep 9, 2012 at 6:50 PM, Dave Cottlehuber <dc...@jsonified.com> wrote:
>
> My question is - what does this role actually do for you? All
> authenticated users will have a UsrCtx available in ddocs, so the mere
> fact it exists implies they're in users. Where else might you want a
> specific, separate role? Am I missing something?

Quite often with a couchapp you need the main page, or certain parts,
to be publicly accessible but not all the data. Personal profile data
would be hidden. New users need read access to view the sign up form,
which they cannot do if the whole couch is limited to authenticated
user access.

If you have a role of _user you can put the "authenticated users only"
data into a separate database while still allowing access to the sign
up and info about the application.

At the document level, you could write validation functions allowing
public read access but only authenticated users write access.

A use-case is a forum. It's standard to allow public read access but
require authentication to write. You need to easily group all
signed-up members.

I'm ruling out server-side scripts. There's little advantage in using
CouchDB if you are doing things the LAMP way.

Is there a client-side way that I'm missing?

Thanks,

Marcus

Re: Allowing access only to authenticated users

Posted by Dave Cottlehuber <dc...@jsonified.com>.

On 9 September 2012 13:13, Wordit <wo...@gmail.com> wrote:
> On Sat, Sep 8, 2012 at 4:51 PM, Dave Cottlehuber <dc...@jsonified.com> wrote:
>>
>> What you likely want is this, and then to control signups as needed?
>>
>> [couch_httpd_auth]
>> require_valid_user = true
>
> Isn't [couch_httpd_auth] a couch-wide setting? It needs to be per
> database. Otherwise, there's no public access at all, which would
> greatly diminish the usefulness/uniqueness of using couchdb.

Yes.

> Would it go against CouchDB design philosophy to have a _user role
> pre-defined, and tied to the _users database? If not, I think it would
> make sense and be useful to many developers. Where is the place to
> suggest and discuss this as a feature?

Here's good, but you can also move it to dev@ if you like.

My question is - what does this role actually do for you? All
authenticated users will have a UsrCtx available in ddocs, so the mere
fact it exists implies they're in users. Where else might you want a
specific, separate role? Am I missing something?

A+
Dave

Re: Allowing access only to authenticated users

Posted by Wordit <wo...@gmail.com>.

On Sat, Sep 8, 2012 at 4:51 PM, Dave Cottlehuber <dc...@jsonified.com> wrote:
>
> What you likely want is this, and then to control signups as needed?
>
> [couch_httpd_auth]
> require_valid_user = true

Isn't [couch_httpd_auth] a couch-wide setting? It needs to be per
database. Otherwise, there's no public access at all, which would
greatly diminish the usefulness/uniqueness of using couchdb.

Would it go against CouchDB design philosophy to have a _user role
pre-defined, and tied to the _users database? If not, I think it would
make sense and be useful to many developers. Where is the place to
suggest and discuss this as a feature?

Thanks,

Marcus

Re: Allowing access only to authenticated users

Posted by Dave Cottlehuber <dc...@jsonified.com>.

On 8 September 2012 10:32, Wordit <wo...@gmail.com> wrote:
> Is there a way of allowing access only to authenticated users?
> The only default role is "_admin" according to the docs I could find.
> There's no "_user" role, meaning anyone in the _users db, is there?
>
> I'd rather not have the data completely public, only accessible to
> signed-up users. People in the "_users" database.
>
> Adding each individual user who signs up to a custom role "users"
> doesn't sound like a good way to achieve this. Or is the only way? Any
> suggestions?
>
> Thanks,
>
> Marcus

What you likely want is this, and then to control signups as needed?

[couch_httpd_auth]
require_valid_user = true

AFAICT from the code, this requires all access to CouchDB APIs to be
authenticated. However
https://issues.apache.org/jira/browse/COUCHDB-1452 might present some
issues, depending on how you are authorising users.

A+
Dave

Re: Allowing access only to authenticated users

Posted by Octavian Damiean <ma...@gmail.com>.

Hello,

You'd do the same thing on a SQL database. A user would have a flag that
indicates his permissions.
On Sep 8, 2012 10:33 AM, "Wordit" <wo...@gmail.com> wrote:

> Is there a way of allowing access only to authenticated users?
> The only default role is "_admin" according to the docs I could find.
> There's no "_user" role, meaning anyone in the _users db, is there?
>
> I'd rather not have the data completely public, only accessible to
> signed-up users. People in the "_users" database.
>
> Adding each individual user who signs up to a custom role "users"
> doesn't sound like a good way to achieve this. Or is the only way? Any
> suggestions?
>
> Thanks,
>
> Marcus
>