couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-1656) Anonymous Users and Non-Admins Can Read the Security Object
Date Mon, 28 Jan 2013 09:27:12 GMT


Robert Newson commented on COUCHDB-1656:

To point 1, I think that's unrelated. It could have MVCC properties and still be pointed to
directly from the #db_header (though the MVCC-ness of _security is not part of this ticket).

I'm inclined to take the patch. Only admins can edit the _security document, I can't think
of a good reason for non-admins to be able to read it.
> Anonymous Users and Non-Admins Can Read the Security Object
> -----------------------------------------------------------
>                 Key: COUCHDB-1656
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Database Core
>            Reporter: Klaus Trainer
>         Attachments: 0001-Don-t-give-non-admins-read-access-to-db-_security.patch
> It is possible that anonymous users are able to read a DB's security object if the security
object's `members` array is empty or missing. Also, it is generally possible for authenticated
members (non-admin users) to read  the security object.
> Only admin users should be allowed to read the security object.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message