2009/6/26 Jan Lehnardt <[email protected]>: > > On 25 Jun 2009, at 20:49, Benoit Chesneau wrote: >> >> That sound good for me except for the anonymous stuff and user >> specific data. Why not keeping same roles as other and just specify >> writer when you want to allow write for guests ? > > Can you elaborate on the "keeping same roles as other"? I'm open > for suggestions :) > I was thinking that anonymous could be owner, reader and writer and by default reader. There is no need for another role imo.
> >> About the user specific data I'm a little afraid about security. I >> think user database should be protected for all users except admins. > > Sure, the users database is a admin-only resource. > Oh I didn't understand that at first, sorry :) > >> Sure password is hashed/encrypted but this is just a question of >> time/number of cpu that some could decrypt these password. I would >> prefer them not so easyly available. So maybe user profiles & co could >> be in an optionnal "profile" db. This for case when you expose >> database to the public. Maybe it's a little paranoid though. > > User-specific data that an app needs should live in documents > separate from the docs that contain the hashes. Does that work > for you? > > Sure, that works if doc with hashes are protected against read. And it's better since all data are in same db. - benoît
