I disagree that "ip address" should be part of the user context since it's clearly part of the request. As for adding selected parts of the request into the user context in general, I don't see any logic to that and it doesn't seem tidier (the opposite, in fact).
Dave asks a great question, should a VDU function be idempotent? Perhaps, but it isn't today anyway. It can vary in its result on different databases and servers based on local security settings (the user doesn't have a role on server A that it does on server B). Given that, it seems fair to allow for a VDU to vary based on any other property of the request (instead of, or in addition to, any properties of the authenticated user, if there is one). Benoit also makes a good point where he urges caution about making VDU a security feature, whereas it has always been intended to ensure you have valid documents (for whatever meaning of 'valid' applies to you). Since this request is in response to a security request (the ability to reject writes from blacklisted IP address or the like) I think that caution is warranted. Perhaps there are two proposals in one here. If we passed the req object to VDU's, we might allow users to build richer applications, but we must be clear that this is not a security mechanism (we've had at least one bug where VDU's were not evaluated after a compaction, for example). The other proposal might be to allow the granting of rights by IP address, much as MySQL does. In fact, I believe this idea is part of the Summit proposal to enhance our security model. I should be able to grant _admin rights to a user if and only if they come from 127.0.0.1, for example. I might also like to exclude all requests from certain IP or IP blocks. I suspect that goes beyond our remit and should be handled by a firewall instead, though. B. On 28 May 2012 14:03, Benoit Chesneau <[email protected]> wrote: > On Fri, May 25, 2012 at 1:49 PM, Robert Newson <[email protected]> wrote: >> I can't think of a solid objection to this idea. The result of a >> validate_doc_update can already vary based on the local security >> object. Being able to inspect not only the new document, but any other >> property of the request seems useful. >> > > Imo any security things should be distinct from authorization. So > someone can also athenticate itself wh > > We could eventually add some extra data like proposed in my previous > mail, but rather I think having a role given to a user depending on > its IP would work better. And most of systems are working like this > today anyway. > > - benoit
