couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stéphane Alnet (JIRA) <>
Subject [jira] [Created] (COUCHDB-1475) _users design documents access
Date Tue, 01 May 2012 13:31:48 GMT
Stéphane Alnet created COUCHDB-1475:

             Summary: _users design documents access
                 Key: COUCHDB-1475
             Project: CouchDB
          Issue Type: Question
          Components: Database Core
    Affects Versions: 1.2
         Environment: Debian/testing
            Reporter: Stéphane Alnet
            Priority: Minor

Sorry I'm coming in late on this topic, I found this while testing my existing code against

The comments for commit e5503ffef957dc5e8784c7223e318738ae79b6df indicate for `after_doc_read`:

          If the doc is a design doc and the userCtx doesn't identify
          an admin or db-admin:
          -> 403 // Forbidden

This breaks the (previously working) case where access to the _users database is restricted
using a "members" security property, and authorized users could use a couchapp found in the
_users database to manager user records.

(These power-users would have, say, "user_manager_ro" and "user_manager_rw" roles assigned
to them, with the ro/rw aspect handled by a specific validate_doc_udpate() which would be
part of the couchapp; the roles were entered in the _users' database members.roles security

Pointing me back to a discussion explaining the background for this new behavior would be
sufficient, if it is effectively a desirable side-effect and things will remain as they are.
Otherwise it seems a finer-grained logic for after_doc_read() would be able to restore the
desired result, along the lines of:

          If the doc is a design doc and (there are no security members.roles and no members.names)
and (the userCtx doesn't identify
          an admin or db-admin)
          -> 403 // Forbidden


PS: Overall I'm surprised the changes in that commit used new Erlang code rather than suggesting
best-practices using the exisiting security features. I don't understand how hiding the design
documents enhances security ("security by obscurity"), but that's beyond what I'm asking here.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message