[
https://issues.apache.org/jira/browse/COUCHDB-442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12736975#action_12736975
]
Curt Arnold commented on COUCHDB-442:
-------------------------------------
I wasn't familiar with _lists and _shows, I've been head down into an system
using CouchDB for a while and hadn't tracked their development. There are some
similarities between the functionality, but not quite the same.
To accomplish the authorization goal, you would need to be able to specify that
a user could run a particular view only when it is in the context of a specific
list request. That would require the view processor to be aware of its context
and run with some elevated privilege which sounds like a recipe for problems.
JIRA works well to focus discussion around specific feature requests. Having
specific byte-sized enhancements defined in JIRA should make it easier to new
people to pick up and contribute to the project. However, I'll switch to
starting discussion on new features on the mailing list first and then create
the JIRA entry when the discussion dies down.
> Add a "view" or "format" function to process source doc on query
> ----------------------------------------------------------------
>
> Key: COUCHDB-442
> URL: https://issues.apache.org/jira/browse/COUCHDB-442
> Project: CouchDB
> Issue Type: Improvement
> Components: JavaScript View Server
> Reporter: Curt Arnold
>
> It is common practice to do emit(key, null) in a map function and then query
> with ?include_docs=true to retrieve the documents that were responsible for
> the entries. However, the full document may include information that is
> privileged or the full document may be substantially larger than the
> information needed to be transferred to the client.
> The proposed enhancement is to allow defining a "view" function in addition
> to the existing "map" and "reduce" on a view. If specified, the view
> function would take the id, key, value and doc and return a JSON value that
> would be added as the "view" member to the row in the result set.
> One of the use cases on
> http://wiki.apache.org/couchdb/Authentication_and_Authorization is to be able
> to specify that a user can retrieve the values from a view, but not add
> include_docs since that may expose information that they are not authorized
> to view. Without the "view" function, there would be pressure to start
> pushing things into the emitted value.
> Production of views would be likely controlled using a include_views=true in
> the query string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
