Each *document* OR *field* gets a security object, e.g. "s" below,
corresponding to CRUD vis a vis HTTP verbs. Keep It Simple Stupid, KISS
principle. https://en.wikipedia.org/wiki/KISS_principle
{
"_id": "b7e07b751d8679044f4e49d166000031",
"_rev": "4-3a82e30d9a3544f5ea8314a847b3b317",
"s": {
"put": [
"user1",
"user2"
],
"get": [
"public"
],
"post": [
"user1",
"user3"
],
"delete": [
"user1",
"user2"
]
},
"foo": {
"hello": "world",
"s": {
"put": [
"user1",
"user2"
],
"get": [
"public"
],
"post": [
"user1",
"user3"
],
"delete": [
"user1",
"user2"
]
}
}
}
On Sat, Jul 8, 2023 at 4:14 PM Ronnie Royston <[email protected]>
wrote:
> That does help. When I (re) consider porting/fwd'ing/piping from Couch to
> Node back to Couch it seems clear:
>
> Node.js (or other server/service) in front of Couch and end users have no
> direct access to Couch. Ever. End of story CouchDB authentication story.
> And that's OK. CouchDB is still a great DB product. You just have to roll
> your own auth proxy.
>
> Took me about a week of research to arrive there.
>
> On Sat, Jul 8, 2023 at 3:26 PM ermouth <[email protected]> wrote:
>
>> > The aim is to implement a least privilege model
>>
>> To achieve that with _rewrite you very likely still need at least a simple
>> proxy, which will redirect most or all inbound requests to a particular
>> _rewrite endpoint. This case R.Newson’s argument doesn’t stand, rewrite
>> becomes mandatory.
>>
>> As for creating DBs – that’s right, user can’t create DBs without being an
>> _admin.
>>
>> As for deprecation – about 80% of QS methods are deprecated, anyway they
>> are useful and there’s no reason not to use them. Porting _rewrite to
>> node.js is pretty straightforward if needed.
>>
>> Hope it helps.
>>
>> ermouth
>>
>
>
> --
> Ronnie Royston
> (504) 460-1592
>
--
Ronnie Royston
(504) 460-1592
