I have a Cordova app running PouchDB inside the in-app browser. Each user belongs to a 'team'. For each team, there is a couch database in the cloud that they're all syncing their local pouch with.
I'd like to create a design document that provides some simple filtering functionality, but I'm concerned that any user belonging to that team would be able to create a new revision of the design document and thus affect every other user's view of the documents.
Is it a common practice to lock down updates of design documents? Are these design documents typically replicated between users, or are they created in local pouches only and somehow prevented from replicating to a shared cloud couch?
答案 0 :(得分:6)
My standard advice to folks is to never replicate design documents. It's just too confusing and security-risky.
Therefore when you replicate, you can just do a filter to exclude any documents whose IDs start with _design/. On the client side, you just create whatever ddocs you need, and ditto with the server.
On the other hand, this doesn't prevent a malicious user from attempting to overwrite design documents on the server-side. (In case you are also using server-side ddocs.) The only way to prevent that is with a validate_doc_update function, which you can use to prevent non-admins from overwriting design docs.
Hope that helps!