Hi, I am trying to understand how to secure couchdb with require_valid_user to prevent anonymous writes.
So far the documentation I have read indicates that I should create a validate_doc_update function on a per-database basis (I would prefer to avoid this if possible). It appears to me that once require_valid_user is set to true, HTTP authentication in futon fails and attempting to POST to /_session to authenticate fails. The only way to authenticate appears to be by specifying the username:password in the URL for the request, is this correct? I imagine I am doing something wrong, but after setting require_valid_user to true (and uncommenting the WWW-Authenticate configuration option) I can no longer authenticate to futon using valid administrator credentials. The application code is fine as it is not using a POST to /_session but sometimes it is useful to log in to futon and view the data directly. If the only way is to write a validate_doc_update function then I imagine userCtx would be null for anonymous users so I can test against that to send a forbidden response. Any insights appreciated... -- mischa (aka muji).
