couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Filipe Manana (JIRA)" <>
Subject [jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work
Date Wed, 23 Feb 2011 12:00:40 GMT


Filipe Manana commented on COUCHDB-1072:

I'm inclined to not allow the character : to be allowed in user names. They're not allowed
for HTTP basic auth user names, so it makes some sense to be consistent and not allow it for
any of the authentication handlers we ship. Robert Newson also agrees with this (opinion expressed
via IRC).

If no one is against this approach, I would had a rule in the validate document update handler
of the _users database that checks for : in the user name.

> Having a : in the "name" property in a _users document makes the GET /_session won't
> -----------------------------------------------------------------------------------------
>                 Key: COUCHDB-1072
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
> I have created multiple user documents in the _users database with the following in the
"name" property:
> ""
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried
to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message
if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

This message is automatically generated by JIRA.
For more information on JIRA, see:


View raw message