[
https://issues.apache.org/jira/browse/COUCHDB-442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12736735#action_12736735
]
Curt Arnold commented on COUCHDB-442:
-------------------------------------
Say we have a personnel system where documents contain some confidential info
(perhaps Social Security Number) and some less restricted info like education
location, phone number, blog entries, etc. Say the split is only 5%
confidential and 95% public. I want to create views by university, graduation
date, phone number, location, department, etc. On each of the queries, I'd
like a class of users to see everything public about the person but not any of
the confidential info.
Without the view function, one option would be calling something like:
emit(key, sanitize(doc));
in the map function for each of the views which would be 95% as bad as doing
emit(key, doc). Basically, everything that would motivate you to do emit(key,
null) over emit(key, doc) comes into play, but just slightly reduced.
Another workaround would be to grab the ids and just attempt to retrieve all
the underlying documents. Some other part of the authentication system would
need to prevent retrieving the confidential info either by rejecting the
request for the entire document or sanitizing it.
Allowing access to a views but disabling include_docs and preventing direct
retrievals of doc is my best analogy to authorizing access to SQL views but
restricting direct access to the tables.
While the main motivation is preparing for a more beefed up authentication and
authorization, it would seem to have some independent usefulness. Plus it
would appear to require any additional resources until serializing the result
set and then only if the user added ?include_views=true.
> Add a "view" or "format" function to process source doc on query
> ----------------------------------------------------------------
>
> Key: COUCHDB-442
> URL: https://issues.apache.org/jira/browse/COUCHDB-442
> Project: CouchDB
> Issue Type: Improvement
> Components: JavaScript View Server
> Reporter: Curt Arnold
>
> It is common practice to emit pairs like {key, null} and then query with
> ?include_docs=true to retrieve the documents that were responsible for the
> entries. However, the full document may include information that is
> privileged or the full document may be substantially larger than the
> information needed to be transferred to the client.
> The proposed enhancement is to allow defining a "view" function in addition
> to the existing "map" and "reduce" on a view. If specified, the view
> function would take the id, key, value and doc and return a JSON value that
> would be added as the "view" member to the row in the result set.
> One of the use cases on
> http://wiki.apache.org/couchdb/Authentication_and_Authorization is to be able
> to specify that a user can retrieve the values from a view, but not add
> include_docs since that may expose information that they are not authorized
> to view. Without the "view" function, there would be pressure to start
> pushing things into the emitted value.
> Production of views would be likely controlled using a include_views=true in
> the query string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
