On Sun, Sep 14, 2008 at 12:52, Noah Slater <[EMAIL PROTECTED]> wrote: > On Sun, Sep 14, 2008 at 12:41:44PM +0200, Michele Sciabarra wrote: >> As Jan told in the recent FLOSS weekly podcast, "there is no security in >> CouchDB".
Thanks, I had missed the FLOSS podcast; I am downloading it as I write. > But as CouchDB speaks HTTP, you can take advantage of REST architecture by > layering reverse proxies that implement your chosen security restrictions. Absolutely. It also seems quite possible to implement some "security" (maybe not the best word to use) measures yourself, by creating a small wrapper around your chosen method to access CouchDB and leveraging the flexibility of CouchDB documents and databases (for example by adding similar items already mentioned above, such as lists of users and/or groups that are allowed to access a certain document). I haven't really thought this through though, so I may be wrong... but it seems pretty close to what is described in the CouchDB documentation, except there the code is put in the document (and/or in a design document) and it gets automatically called when you try to access a document... I should also clarify that what I am (at the moment) mostly interested in is the ability to do document-level authorization (for example saying that "user a, b, and c are allowed to read and write this document" or "group d is allowed to read this document"). I guess what I am trying *not* to do is duplicate work already been done, or in the pipeline. Anyway, thanks for your input guys! johan
