Since the world state is stored in the database of the peer, is it possible to get all the data in it on the peer node? If yes, how to make sure all the data in state are well access controlled?
Plus, if everyone can see the transactions in the ledger, all people can rebuild the state with the transaction payload. It means the world state is transparent to all participant. If this is true, again, how to make sure only the participants with proper permission can view the state?
Anyone can build a transaction, but it to be committed, to the world state, it would have be endorsed by the Endorsement System chain code. A malicious node (trying to hack the world state) would first need to be a member of the channel (controlled by the MemberShip Service Provider) and have the right permissions in order for to the call to be propagated to the orderer and committed to the nodes.
In order to restrict who can see what, you have the options of restricting the query in your smart contract chain code logic, or assigning them a write only profile in your peer config yaml.
Yes, you can enter CouchDB directly using the web interface and modify data. Changes in CouchDB are not notified by Hyperledger Farbic. I tested this (on Hyperledger Fabric 1.1.0) with 2 peers, and using a query function in the chaincode, the results from both peers were different, i.e. no error was given that data has been modified.
Check also How your data is safe in Hyperledger Fabric when one can make changes to couchdb data directly where a similar answer is given.
