On Tue, May 26, 2009 at 9:06 AM, Wojciech Kaczmarek <[email protected]> wrote: > Hi! > > I just observed that authentication for replication is only needed for > design documents, anyone can replicate normal documents into a remote > database. Is this a bug? This behaviour occurs for push replication, > 0.9.0 code. > > Unfortunately I'm going to have a lots of push replication as the main > source of data are offline machines which occasionally get connected > to online nodes. I'm considering using some reverse tunnels but for > now it'd be a PITA; so what are the exact deficiencies of push vs > pull? >
Replication is just another HTTP client, so unless you have a validation function that blocks anonymous users from saving to your database, anyone can push replicate. By default only admins can make a design documents, so as long as you have a database admin setup, you won't see untrusted users editing design docs. Pull replication is just GET requests, so anyone who can browse your database can replicate from it. Chris -- Chris Anderson http://jchrisa.net http://couch.io
