Implement security

Registered by Tim Black on 2013-01-25

Decide on and implement a scheme to keep user data private to the user.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
Drafting
Series goal:
Accepted for couchapp-backbone
Implementation:
Unknown
Milestone target:
milestone icon 0.3.3

Related branches

Sprints

Whiteboard

Here is a scheme recommended by Iris Couch at http://mail-archives.apache.org/mod_mbox/couchdb-user/201108.mbox/%<email address hidden>%3E:

What are your requirements?

1. You have a database which is non-public. Users must log in first,
no exceptions. Okay, so: private data.
2. You have a web page (the login prompt) which is public. Anonymous
users must access it. Okay, so: public data.

To me, that sounds like two databases, and three roles: anonymous,
normal, and developer.

1. The welcome_mat database. Effectively this is an open-source app.
  * Readable by the public: _security.readers = []
  * No updates allowed by anonymous users
  * No updates allowed by normal users
  * Yes updates if ("developer" in userCtx.roles)

2. The private_stuff database, has all of your application data and
design docs except the welcome mat.
  * Not readable by the public: _security.readers = ["normal", "developer"]
  * Updates by anonymous users is not possible [1]
  * Yes updates by normal users: ("normal" in userCtx.roles)
  * No updates by developers: ("developer" in userCtx.roles) // that
role is for software updates only

More info: http://blog.mattwoodward.com/2012/03/definitive-guide-to-couchdb.html

Another, probably better, option, is to use Hoodie.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.