CouchDB:限制用户仅复制自己的文档 [英] CouchDB: Restricting users to only replicating their own documents
问题描述
我在查找用于复制过滤器(以下示例中的 req)的请求对象参数的文档时遇到麻烦:
function(doc,req){
//请求里面有什么???
返回false;
}
此旧的CouchBase博客帖子有一个小代码段,显示了userCtx变量是请求对象的一部分:
此userCtx是什么?当您使用HTTP基本身份验证,安全Cookie身份验证或OAuth针对
CouchDB进行身份验证的请求时,
CouchDB将验证用户的凭据。如果它们与CouchDB
用户匹配,它将使用有关
用户的信息填充req.userCtx对象。
此userCtx对象对于将文档复制限制到文档所有者非常有用。看看这个例子:
function(doc,req){
//必需拥有当前文档
的有效请求用户if(!req.userCtx.name){
throw( Unauthorized!);
}
if(req.userCtx.name == doc.owner){
返回true;
}
返回false;
}
但是现在的问题是CouchDB要求filter方法必须由复制的发起者(在这种情况下,发起者是我的Web应用程序的移动用户):
curl -X POST http://127.0.0.1:5984/_replicate \
-d'{ source: database,\
target: http:/ /example.com:5984/database\",\
filter: example / filtername
}'
问题
默认情况下是否存在强制实施特定过滤器的方法,从而限制了用户只复制自己的数据?我认为最好的方法是使用Nginx等CouchDB的前端,并将所有复制请求限制为包含该过滤器的请求。有什么想法吗?希望有一种方法可以在CouchDB前面没有其他层的情况下进行此操作。 。因为如果您的用户在单个数据库中共享数据,那么他们所有人都有权将他们全部复制到他们的本地沙发上。因此,除非将单个共享数据库分成几个个人数据库,否则您将无法应用任何文档读取限制-这是在这种情况下的常见用例。
强制应用更改供稿过滤器或其他参数(例如视图)的任何方法。但是,您可以使用重写将请求包装到具有预定义查询参数甚至动态参数的某些资源。 。这不是您期望的解决方案,但还是比nginx和他的逻辑更好:也许,您应该允许用户使用自定义查询参数指定自定义过滤器,并仅在未指定内容的情况下强制拥有您的所有权
PS在 req 对象内部对当前请求非常有用。在 wiki 中对其进行了部分描述,但它有些过时了。但是,可以通过简单的show函数轻松查看它:
function(doc,req){
return {json :req}
}
I'm having trouble finding documentation on the request object argument used in replication filters ('req' in the sample below):
function(doc, req) {
// what is inside req???
return false;
}
This old CouchBase blog post has a little code snippet that shows the userCtx variable being a part of the request object:
What is this userCtx? When you make an authenticated request against CouchDB, either using HTTP basic auth, secure cookie auth or OAuth, CouchDB will verify the user’s credentials. If they match a CouchDB user, it populates the req.userCtx object with information about the user.
This userCtx object is extremely useful for restricting replication of documents to the owner of the document. Check out this example:
function(doc, req) {
// require a valid request user that owns the current doc
if (!req.userCtx.name) {
throw("Unauthorized!");
}
if(req.userCtx.name == doc.owner) {
return true;
}
return false;
}
But the problem now is that CouchDB requires the filter method to be explicitly chosen by the initiator of the replication (in this case, the initiator is a mobile user of my web app):
curl -X POST http://127.0.0.1:5984/_replicate \
-d '{"source":"database", \
"target":"http://example.com:5984/database", \
"filter":"example/filtername"
}'
The Question
Is there a way to enforce a specific filter by default so that users are restricted to replicating only their own data? I'm thinking the best way to do this is to use a front end to CouchDB, like Nginx, and restrict all replication requests to ones that include that filter. Thoughts? Would love a way to do this without another layer in front of CouchDB.
Data replication stands right with user ability to read data. Since if your users shares data within single database all of them has right to replicate all of them to their local couches. So you couldn't apply any documents read restriction unless you've split single shared database into several personal ones - this is common use case for such situations.
There is no any way to enforce apply changes feed filter or other parameters like views has. However, you can use rewrites to wraps requests to some resources with predefined query parameters or even with dynamic ones. This is a little not solution that you'd expected, but still better that nginx and some logic at his side: probably, you'd to allow users to specify custom filters with custom query parameters and enforce you're own only if nothing specified, right?
P.S. Inside req object is very useful about current request. Partially it was described at wiki, but it's a little out of date. However, it's easily to view it with simple show function:
function(doc, req){
return {json: req}
}
这篇关于CouchDB:限制用户仅复制自己的文档的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
