I'm brand new at this, so I don't know the common way to solve this, but I was thinking it should be possible to put it behind nginx or apache, and simply return a 503 code if they tried to hit your database url instead of a document.
If that doesn't work, you could always put a thin middleware layer in front of couch that did nothing but security. (You can get webservers to give you the intended URL as a variable) On Jan 3, 2010, at 6:31 AM, Paweł Stawicki <[email protected]> wrote: > Hello, > > I am thinking about using CouchDB in app I want to create. In CouchDB > I can get documents directly from client's browser by javaScript and > it is great, but I have some concerns. I want the app to be accessible > to everyone without need to have an account or log in (like > wikipedia). If I want everyone to have access to documents, CouchDB > has to be accessible to the whole internet. If this is the case, > everyone can even delete whole database by single HTTP query :( > > It is unevitable that if DB is accessible in the internet, everyone > can edit/add/delete documents. After all, this is what I want. But I > don't want to allow deletion of whole database. Or access to another > databases on the same CouchDB server. > > Even if I can prevent deletion of whole database, I can't prevent > deletion of single documents, and malicious user could delete them one > by one. > > So in a nutshell, I have questions: > 1. Is it possible to prevent deletion of database? > 2. Is it possible to prevent deletion of documents? Or, even better... > 3. ...is it possible to limit number of deleted documents for specific > IP for time unit. E.g. one document deletion per minute? > > Best regards > -- > Paweł Stawicki > http://pawelstawicki.blogspot.com > http://szczecin.jug.pl > http://www.java4people.com
