Implement security
Decide on and implement a scheme to keep user data private to the user.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Drafting
- Series goal:
- Accepted for couchapp-backbone
- Implementation:
-
Unknown
- Milestone target:
-
0.3.3
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Here is a scheme recommended by Iris Couch at http://
What are your requirements?
1. You have a database which is non-public. Users must log in first,
no exceptions. Okay, so: private data.
2. You have a web page (the login prompt) which is public. Anonymous
users must access it. Okay, so: public data.
To me, that sounds like two databases, and three roles: anonymous,
normal, and developer.
1. The welcome_mat database. Effectively this is an open-source app.
* Readable by the public: _security.readers = []
* No updates allowed by anonymous users
* No updates allowed by normal users
* Yes updates if ("developer" in userCtx.roles)
2. The private_stuff database, has all of your application data and
design docs except the welcome mat.
* Not readable by the public: _security.readers = ["normal", "developer"]
* Updates by anonymous users is not possible [1]
* Yes updates by normal users: ("normal" in userCtx.roles)
* No updates by developers: ("developer" in userCtx.roles) // that
role is for software updates only
More info: http://
Another, probably better, option, is to use Hoodie.
