To clarify, I am using middleware and am not presenting the api or futon directly to end user.
When it comes to security, I tend to turn everything off by default, and then only permitting what I want to trickle through. The middleware uses a non-admin account. However, this middleware has no business in listing all documents. This link has suggested using a proxy as have others.. https://stackoverflow.com/questions/1923352/how-to-secure-couchdb It mentions to "rewrite /_all_docs and /*/_design/* to a 404 page". I would further conclude that /*/_changes needs to be included. > This seems like a brittle approach, what are you trying to accomplish? Agreed. As shown above, there may be other endpoints I am not aware of. I would like to explicitly rewrite URLs, rather than implicitly. Consider the following - http://x.x.x.x:5984/db/_all_docs (deny) http://x.x.x.x:5984/db/d3b07384d113edec49eaa6238ad5ff00 (permit any doc for reading) Perhaps I could rewrite /*/_* to 404.. and then permit only specific views should I need them ? ( /*/_view/xxxx ) Thanks On Tue, Jul 28, 2015 at 5:54 PM, Jan Lehnardt <[email protected]> wrote: > > > On 28 Jul 2015, at 02:39, jumbo jim <[email protected]> wrote: > > > > Hi, > > > > It is possible to disable the "_all_docs" feature by editing the > local.ini > > and entering the following - > > > > [httpd_db_handlers] > > _all_docs = > > > > However, I then realised that a user could basically get a full listing > of > > all documents by requesting _changes. So, I now use - > > > > [httpd_db_handlers] > > _all_docs = > > _changes = > > > > > > Do I need to close anything else off if I want to prevent a particular > user > > from seeing a list of all documents? > > This seems like a brittle approach, what are you trying to accomplish? > > > Also - is it possible to do disable _all_docs/ and _changes for only > > specific databases? I would still like the admin to use _all_docs/ and > > _changes > > That’s not possible. > > Best > Jan > -- > > > > > > Thanks > > -- > Professional Support for Apache CouchDB: > http://www.neighbourhood.ie/couchdb-support/ > >
