CouchDb - Prevent couchDb from delivering a view

2
votes

I made a list to filter view result because of security issues. The list filters a defined view in the database according to the user session attributes. Thats exactly what I wanted.

Example Uri: http://localhost:5984/hrtool/_design/hrtool/_list/candidates/candidates

But there's still one problem: By guessing the couch Rest api, someone can get the complete view: Example: http://localhost:5984/hrtool/_design/hrtool/_view/candidates/

Is there a posibility to prevent such calls on the view?

Thanks in advance fadh

1
viewcouchdbcouchapp
You realize that everybody has their own version of localhost, don't you? Posting URLs to servers on your laptop doesn't help. Similarly, the people on TV cannot see you.Malvolio
I think the use of the word 'example' makes it quite clear that these url's are not supposed to be resolved.Robert Newson

1 Answers

3
votes

Read access to couchdb is per-database, not per-view, so, no, you won't be able to prevent users with read access to the database from reading the entire view.

You could make a db per user, where each database contains only the data that should be visible to that user, instead.