On Sep 8, 2009, at 9:17 PM, Chris Anderson wrote:
On Tue, Sep 8, 2009 at 3:41 PM, Adam Kocoloski<[email protected]>
wrote:
Finally, there's the issue of authz in views. What privileges does
the view
indexer have? If a user who is only allowed to read some of the
documents
in the DB is allowed to upload a _design document, it seems to me
that the
views generated from that _design document must exclude any forbidden
documents. I guess this can work if the _design doc stores the
roles of the
user who saved it. It seems like a tricky, but solvable problem.
Best, Adam
One way to handle view auth is to require that views that need access
control, to prepend to the key, the name of the user or the roles who
are allowed to access each row. So if you had docs that may only be
read by the users in the doc.readers array, you'd also write your
views something like:
function(doc) {
for (var u in doc.readers) {
emit([u, doc.title], doc.body);
}
}
This will make view permissions much more straightforward to enforce
than putting the ACL somewhere in the value - especially when it comes
to controlling read permissions of reduce values. The security layer
can just ensure that the key-range is valid for the requesting user.
Hi Chris, that sounds like a good idea, but it doesn't quite address
the case of users who are privileged enough to create views, but are
still restricted from viewing some of the docs in the DB. Perhaps
that's a pathological case with which we shouldn't concern ourselves.
Cheers,
Adam
