My webapp PUTs data to a url like /controller/couchdb_db_doc_id. The associated action currently performs no security checks. Specifically, it doesn't ensure that the user making the PUT request and modifying the data actually owns the associated document.
Given a uuid as a doc id, the chances of guessing a doc id are very low indeed; successfully guessing a typical user's password would be much easier. In order for an attack to be successful the attacker would have to first guess a document id - extremely unlikely. This leads me to believe that I don't *need* to perform any security checks when modifying a document as described above. Any thoughts to the contrary? Cheers Paul
