On May 25, 2014, at 7:49 AM, Michael C. Libby <[email protected]> wrote:
> The goal is to make sure that no user can see who the other users of the > doc are. Also, they should only know about docs they have access to and > whether they have read or write access. CouchDB simply doesn’t have those kinds of access controls. Any user with access to a database can see all the contents of all the documents in the database, and query all the views. You can try to filter stuff out with show functions, but it’s trivial to work around by just doing a GET of the document or view itself. The only way I know of to work around this is to use external software to block access to the REST API. The safest way is to completely block direct access to CouchDB and use a separate app server to generate the HTML, i.e. the same approach you’d use with MySQL. —Jens
