Thanks - problem solved. I hadn't realized that every "save document" operation (whether or not related to a query in a design document) had to satisfy any validation function in *any* design document.
Catherine to be saved had to satisfy to On Thu, 2010-07-22 at 14:16 -0700, J Chris Anderson wrote: > On Jul 22, 2010, at 2:47 PM, Catherine Jones wrote: > > > I have a couch database (with an admin and and an admin password > > defined) that's sitting behind an nginx proxy. The ngin proxy routes > > traffic between http://127.0.0.1:5984 on my VPS and the public address > > of http://my_domain_name/subdirectory_name. I want anonymous visitors to > > my website to be able to read from the database but not write to it. > > > > While I can include validation functions in my design documents, this > > doesn't, as far as I can tell, prevent an anonymous person from sending > > a request like: > > > > curl -X PUT http://my_domain_name/subdirectory_name/my_database_name/ > > "some_new_doc_id" -d @some_json_file > > > > and thus writing a new document to the database. I can use an obscure > > name for the database, of course, but isn't there some better way? Am I > > missing something here? Thanks... > > > > You can reject all writes in a validation function, so this is definitely > possible. > > What you probably want to do is > > function(newDoc, oldDoc, userCtx) { > if (userCtx.name != "Catherine"} throw({forbidden:"only Catherine can > write"); > } > > > Catherine > > > > > > >
