couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Lehnardt (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-1656) Anonymous Users and Non-Admins Can Read the Security Object
Date Mon, 28 Jan 2013 09:21:12 GMT


Jan Lehnardt commented on COUCHDB-1656:

1. _security doesn’t have MVCC to avoid btree lookups on each request to that db. (either
way this is out of scope)
2. I haven’t had time to digest this fully yet, but I am inclined to agree with the notion
of the patch, that only [db]-admins get to look at _security.
> Anonymous Users and Non-Admins Can Read the Security Object
> -----------------------------------------------------------
>                 Key: COUCHDB-1656
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Database Core
>            Reporter: Klaus Trainer
>         Attachments: 0001-Don-t-give-non-admins-read-access-to-db-_security.patch
> It is possible that anonymous users are able to read a DB's security object if the security
object's `members` array is empty or missing. Also, it is generally possible for authenticated
members (non-admin users) to read  the security object.
> Only admin users should be allowed to read the security object.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message