我可以限制未经身份验证的用户访问_all_docs吗？ [英] Can I restrict unauthenticated users from accessing _all_docs?

问题描述

我希望人们能够使用带有随机ID的链接来私下共享文档，就像我在将私人链接发布到pastebin之后获得的那样。我想同时了解CouchDB和Cloudant。

I'd like people to be able to share documents privately, using a link with a random id, like I get after posting a private link to a pastebin. I want to know both for CouchDB and Cloudant in general.

推荐答案

对于Apache CouchDB，读取权限是针对每个数据库的，而不是按文档。如果用户可以从数据库中获取文档，则用户也可以获取 _all_docs？include_docs = true 。

With Apache CouchDB, read permission is per-database, not per-document. If a user can fetch a document from a database, the user can fetch _all_docs?include_docs=true too.

我在这个问题中写了有关 CouchDB读取授权的详细信息。

I wrote details in this question about CouchDB read authorization.

有几种方法：

1. Layer-7防火墙或反向HTTP代理。这很难正确完成。国际海事组织对大多数人都不可行。您必须非常熟悉CouchDB的API，以确保阻止所有可能的查询（例如， _rewrite 遍历您的过滤器）。

1. Layer-7 firewall or reverse HTTP proxy. This is hard to do correctly; IMO not feasible for most. You must be very familiar with CouchDB's API to be sure every possible query is blocked (e.g. _rewrite going around your filter).

每个用户一个数据库。这是CouchDB的本机解决方案。创建数据库非常便宜。然后，将用户可以看到的文档复制到他或她的数据库中。用户需要在Couch或OAuth帐户上输入密码。

One database per user. This is CouchDB's native solution. Creating databases is very cheap. Then, replicate the documents the user can see to his or her database. The user needs a password on the Couch, or an OAuth account.

我最近在按用户数据库上取得了成功，但是也了>网址中的唯一密钥，授予他们立即访问权限。感觉就像您想要的东西，但是在幕后，我只是使用随机密码创建一次性帐户。链接会转到公共页面，例如 www.example.com/pastebin/index.html?doc_id=some_docid&secret=random_secret 。然后，浏览器上的Javscript将读取 window.location 并将该密码插入AJAX查询中（在Authorization标头中）。 Couch授予许可，并且用户很高兴。不幸的是，这需要一些反复试验。但是它主要是简单的网络编程。

I have had success recently with per-user databases but also a unique key in the URL that grants them immediate access. It feels like the thing you want, however under the hood I am just creating throwaway accounts with random passwords. The link goes to a public page such as www.example.com/pastebin/index.html?doc_id=some_docid&secret=random_secret. Then Javscript on the browser will read window.location and insert that password into the AJAX query (in an Authorization header). Couch grants permission and the user is happy. Unfortunately, this required a little bit of trial and error; however it's mostly simple web programming.

这篇关于我可以限制未经身份验证的用户访问_all_docs吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！