I'm curious if there are any significant technical obstacles or
philosophical objections to having per-document filtering for reads.
My idea is to add a new special field on the document that indicates a
function that can modify the document before returning it to the user.
function(doc, req) {
/* modify doc based on req or just throw exception */
return doc;
}
I was thinking the contents of the special field could be either the content
of the function or a string path to a function on a design document in the
same db.
If the field is present on a document then the function is applied whenever
the document is being directly accessed by the user: http get, view w/
include_docs, pull replication, etc.
In general, I like the idea of using database partitioning and filtered
replication for the major firewalls of security in an application. But I
think a large class of applications would benefit from some mechanism to
prevent anonymous reads for a few special documents (like design documents)
or sanitize fields within a class of documents for
particularly unprivileged users.
Obviously, just having the option available imposes a performance hit even
on documents without the special field (whatever it takes to check if the
field is present). Is this significant enough to strike the entire idea?
- Chad
