superlogin icon indicating copy to clipboard operation
superlogin copied to clipboard

Published 20 hours ago verified publisher icon colinskow

Unauthorized db permissions config?

Open peteruithoven opened this issue 7 years ago • 0 comments

For clarity I decided to move my nobody / unauthorized users question I asked in https://github.com/colinskow/superlogin/issues/152 here.

When using the Cloudant authorization model each db's _security document contains API Keys with their permissions. In the case of superlogin each session gets a API key.

It's also possible to add a nobody API key, this is a way to determine the access of unauthenticated users. Below is an example _security document, it contains a nobody key which has _reader permissions, this means that the database is publicly readable to unauthenticated users.

{
    "cloudant": {
        "antsellseadespecteposene": [
            "_reader",
            "_writer",
            "_admin"
        ],
        "garbados": [
            "_reader",
            "_writer",
            "_admin"
        ],
        "nobody": [
            "_reader"
        ]
    }
}

The special nobody user name applies for anyone or any application that tries to do tasks, but that did not authenticate with the system. In other words, the nobody user name applies to all unauthenticated connection attempts. For example, if an application attempts to read data from a database, but did not identify itself, the task can proceed only if the nobody user has the role _reader.

More info: https://console.ng.bluemix.net/docs/services/Cloudant/api/authorization.html#enabling-the-_users-database-with-cloudant

Is there a way to describe the permissions of nobody (unauthorized users) per database in the superlogin config?

peteruithoven avatar May 08 '17 12:05 peteruithoven