couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Straw <straw...@astraw.com>
Subject confused about security
Date Tue, 23 Feb 2010 09:42:08 GMT
Hi,

Are members of the admins and readers lists supposed to be able to
execute saved views? I can't get this to work using the 0.11.x git
branch, although accessing individual docs works as I expect. I will
happily provide more information if need be. I'm very new to CouchDB and
may simply be missing something, so please bear with me.

Steps to reproduce.

Start with clean CouchDB install.

Signup two users. The first ("astraw") is an admin user, and the second
("strawman") has no privs. (Side note: the Definitive Guide chapter 22
does not correspond with 0.11.x behavior. Specifically, the POST to
_session with username and password  no longer returns a working
AuthSession cookie.)

Create a db as admin:

curl -X PUT http://astraw:abc123@localhost:5984/cooldb

Add a document:

curl -X PUT http://localhost:5984/cooldb/doc1 -d '{"title":"This is
document 1"}'

And I add a design document:

curl -X PUT http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example
-d \
'{"_id":"_design/example","views":{"foo":{"map":"function(doc){emit(doc._id,doc._rev)}"}}}'


I can execute the view:

curl
http://strawman:strawman@127.0.0.1:5984/cooldb/_design/example/_view/foo
{"total_rows":1,"offset":0,"rows":[
{"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
]}





Now I enable turn on security by adding strawman to the reader list.

curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security \
-d
'{"admins":{"names":[],"roles":[]},"readers":{"names":["strawman"],"roles":[]}}'

OK, so now anonymous reads are forbidden, which is expected:

curl http://localhost:5984/cooldb/doc1
{"error":"unauthorized","reason":"You are not authorized to access this
db."}

and authorized reads are OK, which is also as expected:

curl http://strawman:strawman@127.0.0.1:5984/cooldb/doc1
{"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
is document 1"}

same with reads from the _admin user:

curl http://astraw:abc123@127.0.0.1:5984/cooldb/doc1
{"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
is document 1"}

So far, so good.  But now, I can't execute the view, even as admin:

curl http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example/_view/foo
{"error":"unauthorized","reason":"You are not authorized to access this
db."}

If I delete the _security, I can see the view again, even anonymously:

curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security -d
'{"admins":{"names":[],"roles":[]},"readers":{"names":[],"roles":[]}}'

curl http://127.0.0.1:5984/cooldb/_design/example/_view/foo
{"total_rows":1,"offset":0,"rows":[
{"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
]}

-Andrew

Mime
View raw message