Can local documents be disabled in CouchDB?

Question

Local documents differ from ordinary CouchDB documents in that they are not replicated, do not show up in any view (including _all_docs) and are not subject to validation functions. They can only be accessed using their document id which has to be known for retrieval. See http://docs.couchdb.org/en/1.3.x/api/local.html for details.

A malicious user could abuse this feature in a public facing CouchDB to store arbitrary data on the server. The funny thing is that a database or server admin cannot even see those documents in any other way than viewing the log files.

So I wonder if there is any option to disable local documents in CouchDB?

Answer 1

No, there isn't a way to do that, sorry. Your comments are all correct though, and this probably is something that it would be good to improve in CouchDB to avoid this problem. Feel free to file a bug at https://issues.apache.org/jira/browse/COUCHDB and people will certainly consider it, or explain why it's not practical.

On the other hand, more practically, giving somebody write access to your database requires a certain level of trust that they'll not be malicious or hugely defective. Yes, they could sneakily create local documents, but equivalently they could also just delete everything in your database, or fill it with other normal documents and crash the server, which you'd then still have to go through and individually delete (even a bulk delete requires you to list every document id), or just delete the whole DB.

If your database client isn't trustworthy to this level then you should not give them direct access to your database. In that case, you should instead put some service between them and the CouchDB (i.e. a website with fixed forms and whatnot) that manages these interactions to control this sort of thing.