Reputation: 18099
Data security around _id and _rev in CouchDB
This is almost certainly a stupid question, but I want to be safe and so I think its always worth double-checking.
As long as I have proper authentication (in my case cookie-based on a 1 database to 1 user basis), then is there any risk in exposing full document contents (i.e. including _id and _rev) in every single GET/PUT relating that document?
By this I mean, is there any conceivable way that providing the whole document, rather than just it's core data could result in updates being more easily tampered with?
The only way around exposing the _rev to the client, would be to do a HEAD request [server-side] before each PUT in order to get the latest revision number - which seems like madness!
Upvotes: 1
Views: 115
Answers (1)
Reputation: 73752
There is no way that providing the whole document could result in updates being more easily tampered with.
If you are using per-database security, then you have a perfect foundation.
The primary policy that enforces read security is the _security object. The primary policy that enforces write security is the validate_doc_update function.
So I think the _id and _rev will not factor into a security assessment of your application.
Upvotes: 2
Related Questions
- Is there any document/record level security in couchbase?
- How couchbase ensures uniqueness of id?
- How to implement unique key constraints in CouchDB
- Best practices for _id in PouchDB / CouchDB
- How to Secure CouchDB
- Sending out Database Document Ids (Security)
- couchdb saftey of abitrary design docs
- How unpredictable is the auto generated id of couchdb?
- CouchDB - Figuring out database security
- How does CouchDB handle data?