Couchdb apply filter server side

0
votes

I'm developing a mobile app using PouchDB (client-side) and CouchDB (server-side).

I need to secure docs in order to allow users to read/write his own documents only.

I did a filter for this, something like:

function(doc, req) {
    return doc.owner == req.userCtx.name || doc.sharedWith == req.userCtx.name;
}

and it works well, but only if the request from client includes the filter:

/somedatabase/_alldocs?filter=filter/secure

I need CouchDB to use the filter in every request, with or without client explicitation, for obvious security reasons. Is this even possible? Otherwise which is the correct approch to handle these security issues?

There is a similar question here but the answer is not applicable in my case since I need to share docs between users and replicate them between all databases is not a valid option.

2
couchdbreplicationpouchdb

2 Answers

2
votes

So I don't know if you have looked at this wiki but it lists few options available. Some of them are outdated tho.

Per user database

Probably the most popular solution. As you said, you need to share documents with other users. This could be done by :

  1. Copy document to other users when sharing. You could have a deamon that listen to _changes feed and update the author file in other users database.
  2. Build a web service to access shared documents (very similar to proxy solution)

Smart Proxy

Build a smart proxy in front of your database and do some business logic to fetch the documents. This gives you more control on your data flow but it will surely be slower.

Note

The validate_doc_read server function could interest you but it has never been part of CouchDB's releases(due to the listed limitations).

0
votes

Uhm, probably it isn't. The app that we are developing need to share documents with different users. any doc could be shared with a different group of users