Rebase/access 2026

rel/overlay/etc/default.ini

@@ -508,6 +508,10 @@ authentication_db = _users
 ; max_iterations, password_scheme, password_regexp, proxy_use_secret,
 ; public_fields, secret, users_db_public, cookie_domain, same_site
 
+; Per document access settings
+[per_doc_access]
+;enable = false
+
 ; CSP (Content Security Policy) Support
 [csp]
 ;utils_enable = true

src/chttpd/src/chttpd.erl

@@ -1084,6 +1084,8 @@ error_info({bad_request, Error, Reason}) ->
     {400, couch_util:to_binary(Error), couch_util:to_binary(Reason)};
 error_info({query_parse_error, Reason}) ->
     {400, <<"query_parse_error">>, Reason};
+error_info(access) ->
+    {403, <<"forbidden">>, <<"access">>};
 error_info(database_does_not_exist) ->
     {404, <<"not_found">>, <<"Database does not exist.">>};
 error_info(not_found) ->

src/chttpd/src/chttpd_db.erl

@@ -464,7 +464,7 @@ create_db_req(#httpd{} = Req, DbName) ->
     couch_httpd:verify_is_server_admin(Req),
     ShardsOpt = parse_shards_opt(Req),
     EngineOpt = parse_engine_opt(Req),
-    DbProps = parse_partitioned_opt(Req),
+    DbProps = parse_db_props(Req),
     Options = lists:append([ShardsOpt, [{props, DbProps}], EngineOpt]),
     DocUrl = absolute_uri(Req, "/" ++ couch_util:url_encode(DbName)),
     case fabric:create_db(DbName, Options) of
@@ -1021,16 +1021,18 @@ view_cb(Msg, Acc) ->
     couch_mrview_http:view_cb(Msg, Acc).
 
 db_doc_req(#httpd{method = 'DELETE'} = Req, Db, DocId) ->
-    % check for the existence of the doc to handle the 404 case.
-    couch_doc_open(Db, DocId, nil, []),
-    case chttpd:qs_value(Req, "rev") of
+    % fetch the old doc revision, so we can compare access control
+    % in send_update_doc() later.
+    Doc0 = couch_doc_open(Db, DocId, nil, [{user_ctx, Req#httpd.user_ctx}]),
+    Rev = chttpd:qs_value(Req, "rev"),
+    case Rev of
         undefined ->
             Body = {[{<<"_deleted">>, true}]};
         Rev ->
             Body = {[{<<"_rev">>, ?l2b(Rev)}, {<<"_deleted">>, true}]}
     end,
-    Doc = couch_doc_from_req(Req, Db, DocId, Body),
-    send_updated_doc(Req, Db, DocId, Doc);
+    Doc = #doc{revs = Rev, body = Body, deleted = true, access = Doc0#doc.access},
+    send_updated_doc(Req, Db, DocId, couch_doc_from_req(Req, Db, DocId, Doc));
 db_doc_req(#httpd{method = 'GET', mochi_req = MochiReq} = Req, Db, DocId) ->
     #doc_query_args{
         rev = Rev0,
@@ -1479,6 +1481,8 @@ receive_request_data(Req, LenLeft) when LenLeft > 0 ->
 receive_request_data(_Req, _) ->
     throw(<<"expected more data">>).
 
+update_doc_result_to_json({#doc{id = Id, revs = Rev}, access}) ->
+    update_doc_result_to_json({{Id, Rev}, access});
 update_doc_result_to_json({error, _} = Error) ->
     {_Code, Err, Msg} = chttpd:error_info(Error),
     {[
@@ -2031,10 +2035,12 @@ parse_shards_opt("placement", Req, Default) ->
     end;
 parse_shards_opt(Param, Req, Default) ->
     Val = chttpd:qs_value(Req, Param, Default),
-    Err = ?l2b(["The `", Param, "` value should be a positive integer."]),
     case couch_util:validate_positive_int(Val) of
-        true -> Val;
-        false -> throw({bad_request, Err})
+        true ->
+            Val;
+        false ->
+            Err = ?l2b(["The `", Param, "` value should be a positive integer."]),
+            throw({bad_request, Err})
     end.
 
 parse_engine_opt(Req) ->
@@ -2051,6 +2057,30 @@ parse_engine_opt(Req) ->
             end
     end.
 
+parse_access_opt(Req) ->
+    AccessValue = chttpd:qs_value(Req, "access", "false"),
+    AccessEnabled = config:get_boolean("per_doc_access", "enable", false),
+    case AccessValue of
+        "true" ->
+            case AccessEnabled of
+                false ->
+                    Err = <<"The `access` option is not available on this CouchDB installation.">>,
+                    throw({bad_request, Err});
+                _ ->
+                    [{access, true}]
+                end;
+        "false" ->
+            [];
+        _ ->
+            Err = <<"The `access` value should be a boolean.">>,
+            throw({bad_request, Err})
+    end.
+
+parse_db_props(Req) ->
+    Partitioned = parse_partitioned_opt(Req),
+    Access = parse_access_opt(Req),
+    Partitioned ++ Access.
+
 parse_partitioned_opt(Req) ->
     case chttpd:qs_value(Req, "partitioned") of
         undefined ->

src/chttpd/src/chttpd_show.erl

@@ -79,6 +79,7 @@ handle_doc_show(Req, Db, DDoc, ShowName, Doc) ->
 
 handle_doc_show(Req, Db, DDoc, ShowName, Doc, DocId) ->
     %% Will throw an exception if the _show handler is missing
+    ok = couch_db:validate_access(Db, DDoc),
     couch_util:get_nested_json_value(DDoc#doc.body, [<<"shows">>, ShowName]),
     % get responder for ddoc/showname
     CurrentEtag = show_etag(Req, Doc, DDoc, []),
@@ -137,6 +138,7 @@ handle_doc_update_req(Req, _Db, _DDoc) ->
 
 send_doc_update_response(Req, Db, DDoc, UpdateName, Doc, DocId) ->
     %% Will throw an exception if the _update handler is missing
+    % ok = couch_db:validate_access(Db, DDoc),
     couch_util:get_nested_json_value(DDoc#doc.body, [<<"updates">>, UpdateName]),
     JsonReq = chttpd_external:json_req_obj(Req, Db, DocId),
     JsonDoc = couch_query_servers:json_doc(Doc),
@@ -249,6 +251,7 @@ handle_view_list_req(Req, _Db, _DDoc) ->
 
 handle_view_list(Req, Db, DDoc, LName, {ViewDesignName, ViewName}, Keys) ->
     %% Will throw an exception if the _list handler is missing
+    ok = couch_db:validate_access(Db, DDoc),
     couch_util:get_nested_json_value(DDoc#doc.body, [<<"lists">>, LName]),
     DbName = couch_db:name(Db),
     {ok, VDoc} = ddoc_cache:open(DbName, <<"_design/", ViewDesignName/binary>>),

src/chttpd/src/chttpd_view.erl

@@ -66,6 +66,7 @@ design_doc_view(Req, Db, DDoc, ViewName, Keys) ->
     fabric_query_view(Db, Req, DDoc, ViewName, Args).
 
 fabric_query_view(Db, Req, DDoc, ViewName, Args) ->
+    ok = couch_db:validate_access(Db, DDoc),
     Max = chttpd:chunked_response_buffer_size(),
     VAcc = #vacc{db = Db, req = Req, threshold = Max},
     Options = [{user_ctx, Req#httpd.user_ctx}],

src/couch/include/couch_db.hrl

@@ -67,7 +67,8 @@
 -record(doc_info, {
     id = <<"">>,
     high_seq = 0,
-    revs = [] % rev_info
+    revs = [], % rev_info
+    access = []
 }).
 
 -record(size_info, {
@@ -80,7 +81,8 @@
     update_seq = 0,
     deleted = false,
     rev_tree = [],
-    sizes = #size_info{}
+    sizes = #size_info{},
+    access = []
 }).
 
 -record(httpd, {
@@ -124,7 +126,8 @@
 
     % key/value tuple of meta information, provided when using special options:
     % couch_db:open_doc(Db, Id, Options).
-    meta = []
+    meta = [],
+    access = []
 }).
 
 
@@ -200,7 +203,8 @@
     ptr,
     seq,
     sizes = #size_info{},
-    atts = []
+    atts = [],
+    access = []
 }).
 
 -record (fabric_changes_acc, {

src/couch/src/couch_access_native_proc.erl

@@ -0,0 +1,137 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except in compliance with the License. You may obtain a copy of
+% the License at
+%
+% http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations under
+% the License.
+
+-module(couch_access_native_proc).
+-behavior(gen_server).
+
+-export([
+    start_link/0,
+    set_timeout/2,
+    prompt/2
+]).
+
+-export([
+    init/1,
+    terminate/2,
+    handle_call/3,
+    handle_cast/2,
+    handle_info/2,
+    code_change/3
+]).
+
+-record(st, {
+    indexes = [],
+    % TODO: make configurable
+    timeout = 5000
+}).
+
+start_link() ->
+    gen_server:start_link(?MODULE, [], []).
+
+set_timeout(Pid, TimeOut) when is_integer(TimeOut), TimeOut > 0 ->
+    gen_server:call(Pid, {set_timeout, TimeOut}).
+
+prompt(Pid, Data) ->
+    gen_server:call(Pid, {prompt, Data}).
+
+init(_) ->
+    {ok, #st{}}.
+
+terminate(_Reason, _St) ->
+    ok.
+
+handle_call({set_timeout, TimeOut}, _From, St) ->
+    {reply, ok, St#st{timeout = TimeOut}};
+handle_call({prompt, [<<"reset">>]}, _From, St) ->
+    {reply, true, St#st{indexes = []}};
+handle_call({prompt, [<<"reset">>, _QueryConfig]}, _From, St) ->
+    {reply, true, St#st{indexes = []}};
+handle_call({prompt, [<<"add_fun">>, IndexInfo]}, _From, St) ->
+    {reply, true, St};
+handle_call({prompt, [<<"map_doc">>, Doc]}, _From, St) ->
+    {reply, map_doc(St, mango_json:to_binary(Doc)), St};
+handle_call({prompt, [<<"reduce">>, _, _]}, _From, St) ->
+    {reply, null, St};
+handle_call({prompt, [<<"rereduce">>, _, _]}, _From, St) ->
+    {reply, null, St};
+handle_call({prompt, [<<"index_doc">>, Doc]}, _From, St) ->
+    {reply, [[]], St};
+handle_call(Msg, _From, St) ->
+    {stop, {invalid_call, Msg}, {invalid_call, Msg}, St}.
+
+handle_cast(garbage_collect, St) ->
+    erlang:garbage_collect(),
+    {noreply, St};
+handle_cast(Msg, St) ->
+    {stop, {invalid_cast, Msg}, St}.
+
+handle_info(Msg, St) ->
+    {stop, {invalid_info, Msg}, St}.
+
+code_change(_OldVsn, St, _Extra) ->
+    {ok, St}.
+
+% Return value is an array of arrays, first dimension is the different indexes
+% [0] will be by-access-id // for this test, later we should make this by-access
+% -seq, since that one we will always need, and by-access-id can be opt-in.
+% the second dimension is the number of emit kv pairs:
+% [ // the return value
+%   [ // the first view
+%     ['k1', 'v1'], // the first k/v pair for the first view
+%     ['k2', 'v2']  // second, etc.
+%   ],
+%   [ // second view
+%     ['l1', 'w1'] // first k/v par in second view
+%   ]
+% ]
+% {"id":"account/bongel","key":"account/bongel","value":{"rev":"1-967a00dff5e02add41819138abb3284d"}},
+
+map_doc(_St, {Doc}) ->
+    case couch_util:get_value(<<"_access">>, Doc) of
+        undefined ->
+            % do not index this doc
+            [[], []];
+        Access when is_list(Access) ->
+            Id = couch_util:get_value(<<"_id">>, Doc),
+            Rev = couch_util:get_value(<<"_rev">>, Doc),
+            Seq = couch_util:get_value(<<"_seq">>, Doc),
+            Deleted = couch_util:get_value(<<"_deleted">>, Doc, false),
+            BodySp = couch_util:get_value(<<"_body_sp">>, Doc),
+            % by-access-id
+            ById =
+                case Deleted of
+                    false ->
+                        lists:map(
+                            fun(UserOrRole) ->
+                                [
+                                    [[UserOrRole, Id], Rev]
+                                ]
+                            end,
+                            Access
+                        );
+                    _True ->
+                        [[]]
+                end,
+
+            % by-access-seq
+            BySeq = lists:map(
+                fun(UserOrRole) ->
+                    [
+                        [[UserOrRole, Seq], [{rev, Rev}, {deleted, Deleted}, {body_sp, BodySp}]]
+                    ]
+                end,
+                Access
+            ),
+            ById ++ BySeq;
+        _Else ->
+            [[], []]
+    end.

src/couch/src/couch_bt_engine.erl

@@ -667,20 +667,24 @@ id_tree_split(#full_doc_info{} = Info) ->
         update_seq = Seq,
         deleted = Deleted,
         sizes = SizeInfo,
-        rev_tree = Tree
+        rev_tree = Tree,
+        access = Access
     } = Info,
-    {Id, {Seq, ?b2i(Deleted), split_sizes(SizeInfo), disk_tree(Tree)}}.
+    {Id, {Seq, ?b2i(Deleted), split_sizes(SizeInfo), disk_tree(Tree), split_access(Access)}}.
 
 id_tree_join(Id, {HighSeq, Deleted, DiskTree}) ->
     % Handle old formats before data_size was added
     id_tree_join(Id, {HighSeq, Deleted, #size_info{}, DiskTree});
 id_tree_join(Id, {HighSeq, Deleted, Sizes, DiskTree}) ->
+    id_tree_join(Id, {HighSeq, Deleted, Sizes, DiskTree, []});
+id_tree_join(Id, {HighSeq, Deleted, Sizes, DiskTree, Access}) ->
     #full_doc_info{
         id = Id,
         update_seq = HighSeq,
         deleted = ?i2b(Deleted),
         sizes = couch_db_updater:upgrade_sizes(Sizes),
-        rev_tree = rev_tree(DiskTree)
+        rev_tree = rev_tree(DiskTree),
+        access = join_access(Access)
     }.
 
 id_tree_reduce(reduce, FullDocInfos) ->
@@ -717,21 +721,27 @@ seq_tree_split(#full_doc_info{} = Info) ->
         update_seq = Seq,
         deleted = Del,
         sizes = SizeInfo,
-        rev_tree = Tree
+        rev_tree = Tree,
+        access = Access
     } = Info,
-    {Seq, {Id, ?b2i(Del), split_sizes(SizeInfo), disk_tree(Tree)}}.
+    {Seq, {Id, ?b2i(Del), split_sizes(SizeInfo), disk_tree(Tree), split_access(Access)}}.
 
 seq_tree_join(Seq, {Id, Del, DiskTree}) when is_integer(Del) ->
     seq_tree_join(Seq, {Id, Del, {0, 0}, DiskTree});
 seq_tree_join(Seq, {Id, Del, Sizes, DiskTree}) when is_integer(Del) ->
+    seq_tree_join(Seq, {Id, Del, Sizes, DiskTree, []});
+seq_tree_join(Seq, {Id, Del, Sizes, DiskTree, Access}) when is_integer(Del) ->
     #full_doc_info{
         id = Id,
         update_seq = Seq,
         deleted = ?i2b(Del),
         sizes = join_sizes(Sizes),
-        rev_tree = rev_tree(DiskTree)
+        rev_tree = rev_tree(DiskTree),
+        access = join_access(Access)
     };
 seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos}) ->
+    seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos, []});
+seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos, Access}) ->
     % Older versions stored #doc_info records in the seq_tree.
     % Compact to upgrade.
     Revs = lists:map(
@@ -749,7 +759,8 @@ seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos}) ->
     #doc_info{
         id = Id,
         high_seq = KeySeq,
-        revs = Revs ++ DeletedRevs
+        revs = Revs ++ DeletedRevs,
+        access = Access
     }.
 
 seq_tree_reduce(reduce, DocInfos) ->
@@ -758,6 +769,9 @@ seq_tree_reduce(reduce, DocInfos) ->
 seq_tree_reduce(rereduce, Reds) ->
     lists:sum(Reds).
 
+join_access(Access) -> Access.
+split_access(Access) -> Access.
+
 local_tree_split(#doc{revs = {0, [Rev]}} = Doc) when is_binary(Rev) ->
     #doc{
         id = Id,