It really depends on the nature of the data and such, but in general I'd be pretty wary of doing such a thing for a write action. Might be okay for a read if the data isn't terribly sensitive.
-- Ed Finkler http://funkatron.com AIM: funka7ron ICQ: 3922133 Skype: funka7ron On Tue, Oct 7, 2008 at 7:35 PM, Paul Carey <[EMAIL PROTECTED]> wrote: > My webapp PUTs data to a url like /controller/couchdb_db_doc_id. The > associated action currently performs no security checks. Specifically, > it doesn't ensure that the user making the PUT request and modifying > the data actually owns the associated document. > > Given a uuid as a doc id, the chances of guessing a doc id are very > low indeed; successfully guessing a typical user's password would be > much easier. In order for an attack to be successful the attacker > would have to first guess a document id - extremely unlikely. This > leads me to believe that I don't *need* to perform any security checks > when modifying a document as described above. Any thoughts to the > contrary? > > Cheers > > Paul >
