CouchDB per field read privilege based on roles

Question

I'm new with CouchDB. I don't know if I can restrict the fields that a role can read from a document. If I can, is this the right approach to work with CouchDB?

For example, if I have a document like this:

{
    firstname: 'firstname',
    lastname: 'lastname',
    email: ['home': 'foobar@foobar.net', 'work': 'foobar@foobar-working.net'],
    phone: ['home': '+81 00 0000 0000'],
}

And the following roles:

{
   "admins": {
       "names": [
           "superuser"
       ],
       "roles": [
           "admins"
       ]
   },
   "members": {
       "names": [
           "user1",
           "user2"
       ],
       "roles": [
           "developers"
       ]
   }
}

I want that admin roles can read all the fields while developers can read only email and phone. How can I achieve this? Using validation functions?

Answer 1

The functionality described in your post is not available in CouchDB.

The security in couchdb is defined in the following terms (extracted from doc)

The security object consists of two compulsory elements, admins and members, which are used to specify the list of users and/or roles that have admin and members rights to the database respectively:

• members: they can read all types of documents from the DB, and they can write (and edit) documents to the DB except for design documents.
• admins: they have all the privileges of members plus the privileges: write (and edit) design documents, add/remove database admins and members and set the database revisions limit. They can not create a database nor delete a database.

There is not per-document or even per-partial-document access restrictions implemented in CouchDB

Currently, you can define per-document write restrictions by defining a Validate Document Update funcion in a Desing Document.

There is a proposal for adding some per-document access restriction but it seems to be in the early stages of development. You can see the proposal here.