I've put a more readable and updated version here : https://github.com/refuge/refuge/wiki/DB-Security-hooks
On Wed, Jan 4, 2012 at 10:52 AM, Benoit Chesneau <[email protected]> wrote: > Hi all, > > Following is a quick proposal to implement support of hooks to other > databases. Let me know what you think about it. I would be be happy to > start the work on that. > > - benoît > > > # Using the db hooks in other databases > > ## Definitons > > Hooks > `before_doc_update` & `after_doc_read` functions that could be > associated to a db object. > > Db > abbreviation of database. > > ## Goal > > Today the db hooks are only used in the `_users` & `_replicator` dbs. It > would be good to generalize them to other dbs. Ie. an admin should be > abble to add these functions on any created dbs. > > ## Possible solutions > > ### In the design documents > > We could like the validate_doc_update function, add such function to any > design documents. Function would be : > > > function before_doc_update(Doc, UserCtx, SecObj) { > > } > > > function after_doc_read(Doc, UserCtx, SecObj) { > > } > > > Then this functions will be processed in a loop. Processed functions > could return: > > - `true` if nothing is changed > - a new doc or the doc object > - an error witch will be raised. > > > While the `after_read_doc` coulc return > > > ### In the security object. > > Historically the `validate_doc_update` function is in the the design > document. But such functions could also be in the security object. The > above solution has the advantage to not change the way couchdb already > work. > > > ## Optimisations > > - on_changes & all_docs hooks. Actually these hooks are hardcoded in > couch. We should change that to allow anyone to build its own security > system. > > - If in JS, such functions should support the commonjs `require` > feature. > > > ## Example > > ### Dropbox > > One usecase of such feature would allows to easily add a dropbox feature > to couch. In tis scenarion any user can drop a document, but only admins > can read it. It could be done by these functions: > > > function after_doc_read(Doc, UserCtx, SecObj) { > if (userCtx.roles.find("_admin") == -1) > return {"forbidden": "you don't can't read docs in this > db"}; > } > } > > Here we also need an `on_all_docs` function: > > function on_all_docs(UserCtx, SecObjc) { > if (userCtx.roles.find("_admin") == -1) > return {"forbidden": "you don't can't read docs in this > db"}; > } > } > > > and an `on_changes` function: > > function on_all_docs(UserCtx, SecObjc) { > if (userCtx.roles.find("_admin") == -1) > return {"forbidden": "you don't can't read docs in this > db"}; > } > } > >> **Note:** These functions could of course be in Erlang.
