stackoom
  简体   繁体   中英

CouchDB / PouchDB partial syncs with limited rights

 原文  2016-04-27 22:16:25       synchronization/ couchdb/ pouchdb/ access-rights

Question

I just stumbled across CouchDB and PouchDB sync features. Typically web applications have an application server implementing authentication, rights and business logic allowing to limit users access to specific resources/records. This brought up several questions in my mind:

  1. Is it possible to limit access to records within couch db. Eg. a super-admin sees everything, a department-manager everything of his department and a simple user only his own records or eg tasks assigned to him?
  2. Is CouchDB + PouchDB have the ability to only do partial syncs. eg sync all tasks I'm responsible for?
  3. Would you use CouchDB for user authentication and rights storage (for the above use case)? It seems anyhow weird me since the user DB gonna be accessible from everyone as far as it seems to me.

2 answers

solution1
 1  2016-04-29 07:34:34

Is it possible to limit access to records within couch db. Eg. a super-admin sees everything, a department-manager everything of his department and a simple user only his own records or eg tasks assigned to him?

Nope. You can't do this with a single DB and using only CouchDB. But there are a few ways you can realize this, for instance:

  • use a database per project/user group/user. This would probably in most cases be the preferred method. Creating databases is easy in CouchDB. It would also be best for syncing
  • create a smart proxy that wraps all documents with the user credentials and filters all results
  • encrypt documents on a per user basis
  • use validate_doc_read and validate_doc_update functions

More info here: https://wiki.apache.org/couchdb/PerDocumentAuthorization

solution2
 0  2016-04-28 07:01:34

Is it possible to limit access to records within couch db. Eg. an super-admin sees everything, a department-manager everything of his department and a simple user only his own records or eg tasks assigned to him?

Off-the-shelf security policies are very basic, but you can do a lot of things with advanced features.

What you want to do could be done simply with a show function that would generate a different output depending on req.userCtx .

In different settings (authorization based on user/method/URI, with or without third party authentication), because CouchDB is fully REST compliant, you can also use an HTTP reverse proxy for security related features.

Is CouchDB + PouchDB have the ability to only to partial syncs. eg sync all tasks I'm responsible for?

In CouchDB, this is called "filtered replications" .

Seems anyhow weird me since the user DB gonna be accessible from everyone as far as it seems to me.

Of course not. In normal mode (not "admin party"), other users have only access to "public" attributes, and, of course, only the user herself can update her user document (see documentation ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Prioritization in CouchDB and PouchDB syncing Filtered Sync between CouchDB and PouchDB Intercepting PouchDB communications with CouchDB backend Using PouchDB+CouchDB sync capabilities with a Laravel PouchDB to CouchDB sync saves filters as views One pouchDB per user on the same device syncing with a single CouchDB Creating an App That Syncs with Smartwatch Android ordered syncs Star topology in Unison with selective bidirectional syncs? Multiple requests on PouchDB sync
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM