nkev commented on issue #1524:
URL: https://github.com/apache/couchdb/issues/1524#issuecomment-3143646264
I'm sure this would already have been considered but I'll throw it out there
anyway... :)
I wonder whether enforcing a `classic filter` (i.e. `function(doc, req)`) is
an easy way to control user access to documents. Consider the following change
to the `/{db}/_security` document:
```JSON
{
"admins": {
"names": [
"superuser"
],
"roles": [
"admins"
]
},
"members": {
"names": [
"user1",
"user2"
],
"roles": [
"consumer",
"reseller"
],
"accessFilter" : "membersFilter"
}
}
```
The new `accessFilter` property within the `members` object would force all
`member` reads, writes and change-feed requests (e.g. via PouchDB) to go
through the `membersFilter` function, like below. This would allow developers
to write whatever rules they like in the filter function to control document
access for all members, for example, by roles:
```Javascript
function(doc, req){
// a member user with 'consumer' role can READ documents with
doc.type == 'product'
if(req.method == 'GET' && doc.type == 'product' &&
req.userCtx.roles.indexOf('consumer') > -1) {
return true;
}
// a member user without 'reseller' role cannot access reseller
admin page
if(req.raw_path.startsWith("/reseller/" &&
req.userCtx.roles.indexOf('reseller') == -1) {
return false;
}
// other app specific custom conditions here...
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
