2

I made a list to filter view result because of security issues. The list filters a defined view in the database according to the user session attributes. Thats exactly what I wanted.

Example Uri: http://localhost:5984/hrtool/_design/hrtool/_list/candidates/candidates

But there's still one problem: By guessing the couch Rest api, someone can get the complete view: Example: http://localhost:5984/hrtool/_design/hrtool/_view/candidates/

Is there a posibility to prevent such calls on the view?

Thanks in advance fadh

fadh
  • 43
  • 2
  • You realize that everybody has their own version of `localhost`, don't you? Posting URLs to servers on your laptop doesn't help. Similarly, the people on TV cannot see you. – Michael Lorton Aug 19 '11 at 16:40
  • 2
    I think the use of the word 'example' makes it quite clear that these url's are not supposed to be resolved. – Robert Newson Aug 19 '11 at 20:51

1 Answers1

3

Read access to couchdb is per-database, not per-view, so, no, you won't be able to prevent users with read access to the database from reading the entire view.

You could make a db per user, where each database contains only the data that should be visible to that user, instead.

Robert Newson
  • 4,631
  • 20
  • 18