Devs, We've had reader ACLs on the roadmap for a long time, and this morning I took the time to implement.
The API is copied from the database admins API. There are a list of readers for each database. GET /db/_readers to see the list PUT /db/_readers to change the list The list is a JSON array like ["top-secret", "jan", "editors"] If a users name or any of their roles is in the list, they have read access to the db. If the _readers list is empty, the db is public. This code still needs review. It's the first I've written that upgrades the disk format on the fly. Only use it on test data until it is merged to trunk. There is no code that will downgrade the new format back to trunk. Once it is committed it should upgrade seamlessly. I've only done a little bit of testing, but I think the implementation is fairly solid (eg I can't see how someone could get access to a private db). The code is available here: http://github.com/jchris/couchdb/tree/readeracl tests: http://github.com/jchris/couchdb/blob/readeracl/share/www/script/test/reader_acl.js I plan to commit it once I've had some more eyes on it, hopefully early this week. Known issue: the reader ACLs inherit from the db-admins list the flat namespace of users and roles. This means there's a potential exploit where a user signs up with the username "doctor" and thus can write prescriptions. I think this is worth fixing before 1.0, b/c otherwise anyone who ever deploys Couch has to learn about the flat namespace and figure out how to discourage the exploit. Chris -- Chris Anderson http://jchrisa.net http://couch.io
