couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Chris Anderson <jch...@gmail.com>
Subject Re: confused about security
Date Wed, 24 Feb 2010 02:36:40 GMT

On Feb 23, 2010, at 1:42 AM, Andrew Straw wrote:

> Hi,
> 
> Are members of the admins and readers lists supposed to be able to
> execute saved views? I can't get this to work using the 0.11.x git
> branch, although accessing individual docs works as I expect. I will
> happily provide more information if need be. I'm very new to CouchDB and
> may simply be missing something, so please bear with me.
> 
> Steps to reproduce.
> 
> Start with clean CouchDB install.
> 
> Signup two users. The first ("astraw") is an admin user, and the second
> ("strawman") has no privs. (Side note: the Definitive Guide chapter 22
> does not correspond with 0.11.x behavior. Specifically, the POST to
> _session with username and password  no longer returns a working
> AuthSession cookie.)
> 
> Create a db as admin:
> 
> curl -X PUT http://astraw:abc123@localhost:5984/cooldb
> 
> Add a document:
> 
> curl -X PUT http://localhost:5984/cooldb/doc1 -d '{"title":"This is
> document 1"}'
> 
> And I add a design document:
> 
> curl -X PUT http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example
> -d \
> '{"_id":"_design/example","views":{"foo":{"map":"function(doc){emit(doc._id,doc._rev)}"}}}'
> 
> 
> I can execute the view:
> 
> curl
> http://strawman:strawman@127.0.0.1:5984/cooldb/_design/example/_view/foo
> {"total_rows":1,"offset":0,"rows":[
> {"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
> ]}
> 
> 
> 
> 
> 
> Now I enable turn on security by adding strawman to the reader list.
> 
> curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security \
> -d
> '{"admins":{"names":[],"roles":[]},"readers":{"names":["strawman"],"roles":[]}}'
> 
> OK, so now anonymous reads are forbidden, which is expected:
> 
> curl http://localhost:5984/cooldb/doc1
> {"error":"unauthorized","reason":"You are not authorized to access this
> db."}
> 
> and authorized reads are OK, which is also as expected:
> 
> curl http://strawman:strawman@127.0.0.1:5984/cooldb/doc1
> {"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
> is document 1"}
> 
> same with reads from the _admin user:
> 
> curl http://astraw:abc123@127.0.0.1:5984/cooldb/doc1
> {"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
> is document 1"}
> 
> So far, so good.  But now, I can't execute the view, even as admin:
> 
> curl http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example/_view/foo
> {"error":"unauthorized","reason":"You are not authorized to access this
> db."}
> 

Doh. That is too much security!

This will be a simple fix (embarrassing that I didn't test it before.)

I'll have a go at it after dinner unless I just plain fall asleep as I've been traveling all
day.

I'd say this is worth waiting on building 0.11 release artifacts. Sorry Noah.

Hopefully I'll have the resolved before it causes any delays in the release.

Chris

> If I delete the _security, I can see the view again, even anonymously:
> 
> curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security -d
> '{"admins":{"names":[],"roles":[]},"readers":{"names":[],"roles":[]}}'
> 
> curl http://127.0.0.1:5984/cooldb/_design/example/_view/foo
> {"total_rows":1,"offset":0,"rows":[
> {"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
> ]}
> 
> -Andrew


Mime
View raw message