Documents collaboration and security
Hi!
I'm planning to build a mobile application where users will be able to create documents and share them with other users. Unfortunately I can't set security per document. In a situation where users don't share their documents, each user has privalages for his own database, and everything is great and secure. The problem occures when I want to share one document from my database with another user. I can't give him read privilages because I want him to read only one document, not all of them.
What is the best way to achieve such goal?
Thank you in advance!
The best approach is probably to replicate the shared document into the target user's database. Then s/he can access it without needing access to your database. This can be done with a filtered replication set up on the server — either replicate a specific list of document IDs, or use a filter that looks at a document property like "sharewith:" or something like that.
Our upcoming Syncpoint product is being designed to handle exactly this situation, which turns out to be a common one. We don't have much to say about it yet, but we'll be releasing some design documents soon.
Thank you for the response. I have documents with mandatory field 'author', and a list of members. Only these users who are checked with userCtx.name are allowed to make changes to the document and the replication to mobile will only send their documents.
I tried to filter requests like $HOST/dbname/id using nginx as a Reverse Proxy but than replication failed.
Replication of the shared document into target user's database sounds resonable. Is there a posibility to automatically trigger replication from this public db to target user's database? Or put some local PHP client who listens on _changes and does the replication?
Thank you again!
Yes I would do this with a custom server-side changes listener written in the language of your choice.
I would like to ask one more question.
Is there a possibility to enable client authentication via SSL? I plan to give my mobile app a certificate so only users could get into the database using my mobile app. I know that this could be achieved by setting up a proxy, but is it possible to authenticate clients without a proxy?
Thank you in advance!
Syncpoint Server will definitely support this. I'm not sure whether CouchDB does, without adding a proxy. Chris might have an answer to that, or you could ask on the CouchDB 'user@' mailing list.
You will need to do something within your control on the server in order to dispatch this document. You could have the messages all saved into a central database, and then use filtered replication to only replicate from the central database to a given user, those documents tagged with that user as a recipient.
Alternatively, each user could have a publicly addressable "inbox" database, which accepts POST requests but nothing else (unless you are the user). This will require a little bit of a proxy on your backend. Then you could have one user drop the message directly into the other user's cloud-based inbox, for sync to the other users device.
In the future we'll be releasing a product that encapsulates patterns like this, but it will not be available for a few months.