I am a CouchDB user. I need more granularity in terms of DB authorization, e.g. limit who can read a document in a shared database.
It appears that show functions do get passed the request object, (doc, req), however it looks like this is discouraged via a deprecation warning. Update validation documents pass (newDoc, oldDoc, userCtx, secObj) to the query server, however I need the request object, and for *all* HTTP methods. src/chttpd/src/chttpd_node.erl seems to handle HTTP requests but I do not know Erlang well enough to pipe all requests out. I would really like to allow clients/browsers to communicate directly with couch (albeit via recommended reverse proxy) and not force all db requests through, for example, Node.js. It seems like the query server architecture is 99% there in terms of what I need - it's just that I need the full request object and need my validation to get called for every HTTP method. How can I restrict access to a document in a shared database based on userID? I believe I need to intercept HTTP requests and validate them, right? --
