I think we must discuss here, whether we can bypass this access limitation or not. If we can - this access limitation is useless, if not - we definitely must review it and think about adding this to couchdb.
2010/11/9 Fedor Indutny <[email protected]> > So I'm extending my proposal with this example: > > Big company's people are stored in couchdb (200 - 400 people), with > "salary" field. > You may create views that will show total salary or salary of each > developers group, while not permitting to access individual salary. > My proposal: limiting views and docs separately. > > 2010/11/9 Fedor Indutny <[email protected]> > > Yes, sorry it was not clear, but it's exactly like you're saying. >> >> So my proposal is: >> Add *validate_doc_view* function in _design documents with arguments like >> *doc, userCtx, req*. >> Add *validate_view_access* function into _design/views/view_name with >> arguments like *req, userCtx*. >> >> Example: >> http://indutny.couchone.com/_utils/document.html?access_proposal/_design/test >> (admin >> party is here, so feel free to try anything). >> >> So you can throw {forbidden: "some text"} in any of this callbacks, if >> user have no access to item. >> >> Also for views, you can limit access to specific range for user (like in >> example). >> >> 2010/11/9 Bram Neijt <[email protected]> >> >> I think I'm missing a part of this. >>> >>> If you want a user to see only part of the document, would you not >>> create a view that only emits parts of the document? >>> >>> I'm new at this, so could you write up an usage example for me? >>> >>> Greets, >>> >>> Bram >>> >>> On Mon, Nov 8, 2010 at 5:34 PM, Fedor Indutny <[email protected]> >>> wrote: >>> > Hi everyone! >>> > >>> > You've discussed earlier possibility of adding access validators to >>> _design >>> > documents, this feature it's a kind of thing that many couchdb users >>> will be >>> > glad to see. >>> > The conclusion of previous discussion was that we can't add this >>> validators, >>> > because we actually won't be able to tell later, whether user can >>> access >>> > _design/view or not. >>> > >>> > What if we could add *validate_view_**access *to _design document? >>> > It's not only fix of problem, I've mentioned above, but also a feature: >>> > You'll be able to allow user to access only view, without having an >>> access >>> > to a full document. >>> > So, for example, views could show only *title* field of document, while >>> * >>> > price* field will be hidden in a document itself. >>> > >>> > What do you think? >>> > >>> > -- >>> > (Node.js, Ruby, Python, PHP developer) >>> > Fedor Indutny >>> > >>> >> >> >> >> -- >> Fedor Indutny >> > > > > -- > Fedor Indutny > -- Fedor Indutny
