Open sivakumar-kailasam opened 8 years ago
acorncom
commented
8 years ago Ideally, I would like to see one field be read/write for folks even if they haven't logged in with Github auth, to simplify use of the tool. And then if we see maliciousness around that, we can lock that down.
However, if that is too complicated on the CouchDB side of things to account for, then allowing read/write access to part of the data (but not all of it) for Github-authed users is a reasonable compromise ...
sivakumar-kailasam
commented
8 years ago From what I've read so far, we can create a member who has only rw access to data and use this on our ember app. End users never have to authorize themselves. By defining a update function on coucbdb we can ensure that if end users try to update the data, he can only add/remove contributors but not alter the rest of the data.
This brings the level of security we expected when we got started.
This app will use a credential that has admin rights and the webapp will use one which has member rights.
http://guide.couchdb.org/draft/security.html goes into details of how to secure couchdb since the entire instance is public by default and anyone can potentially perform any operation on it.
We need to make help-wanted read-only for anonymous access. Contributors data should be writable for authorized users(github based auth preferably). Please add to the issue if you have more implementation details.
references: