couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randall Leeds <randall.le...@gmail.com>
Subject Re: Issues blocking the 1.2.0 release
Date Tue, 14 Feb 2012 19:36:26 GMT
On Tue, Feb 14, 2012 at 11:06, Benoit Chesneau <bchesneau@gmail.com> wrote:
> On Tue, Feb 14, 2012 at 7:53 PM, Randall Leeds <randall.leeds@gmail.com> wrote:
>> On Tue, Feb 14, 2012 at 10:41, Jan Lehnardt <jan@apache.org> wrote:
>>>
>>> On Feb 14, 2012, at 19:35 , Randall Leeds wrote:
>>>
>>>> On Tue, Feb 14, 2012 at 10:19, Jan Lehnardt <jan@apache.org> wrote:
>>>>>
>>>>> On Feb 14, 2012, at 19:13 , Randall Leeds wrote:
>>>>>
>>>>>> On Tue, Feb 14, 2012 at 04:14, Noah Slater <nslater@tumbolia.org>
wrote:
>>>>>>> Devs,
>>>>>>>
>>>>>>> Please outline:
>>>>>>>
>>>>>>>   - What has been changed since round one of the 1.2.0 release
>>>>>>>   - What remains to be fixed for regression purposes
>>>>>>>   - Who is doing these fixes, and when will they be done by
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> N
>>>>>>
>>>>>> I'd like to know if it was always the case that design doc actions
on
>>>>>> system dbs were inaccessible to non-admins or if that's just since
the
>>>>>> recent security changes. If it's recent, why was that part deemed
>>>>>> necessary and can we remove it?
>>>>>
>>>>> It is part of the recent changes and the reason is that a view potentially
>>>>> leaks information about docs and we don't want that. I'm happy to relax
this
>>>>> later if we can convince people to write views that don't compromise
their
>>>>> security, but until then I opted for the more secure default.
>>>>>
>>>>
>>>> I motion to remove this restriction now, unless there are actions on
>>>> the system dbs, installed by default, that leak anything at all.
>>>> I see the motivation but I feel it might be overly paranoid. Only an
>>>> admin can modify the ddocs. If a user decides to add views to
>>>> _replicator or _user they had best think about what they expose and to
>>>> whom.
>>>>
>>>> If there's no objection I can try to tackle this in the evening.
>>>
>>> I object :)
>>
>> Hmm. What's your reasoning?
> Why do you need views in _users ?
>
> - benoît

The idea was to make it easy to add public profiles, since
?include_docs is subject to the new security hooks, but emit() could
publish the public information.
There are valid use cases for admin-only views, which this would
prevent, though. In that case, we probably shouldn't change anything.

-R

Mime
View raw message