couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Shorin (JIRA)" <>
Subject [jira] [Created] (COUCHDB-1837) Incorrect HTTP response on attempt to update other user doc with public fields enabled
Date Fri, 21 Jun 2013 22:56:19 GMT
Alexander Shorin created COUCHDB-1837:

             Summary: Incorrect HTTP response on attempt to update other user doc with public
fields enabled
                 Key: COUCHDB-1837
             Project: CouchDB
          Issue Type: Bug
          Components: HTTP Interface
            Reporter: Alexander Shorin

When `public_fields` are specified (see [8d7ab8b1|;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60]
commit) and regular user tries to update other user doc, CouchDB return HTTP 404 Not Found
request while HTTP 403 Forbidden is more expected.

Steps to reproduce:

1. Enable `public_fields`

curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"name,email,whatever"'
-H "Content-Type: application/json" --user couch_admin  

2. Setup some users

curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[],
"type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[],
"type":"user", "password": "fed"}'  -H "Content-Type: application/json"  

3. Now user `abc` may browse `def` doc

> curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def                   

HTTP/1.1 200 OK
Cache-Control: must-revalidate
Content-Length: 88
Content-Type: text/plain; charset=utf-8
Date: Fri, 21 Jun 2013 22:48:03 GMT
ETag: "1-fa20c151bb6946527d261e9ef4338923"
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)


4. Try to save `def`'s doc:

curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d '{}' -H "Content-Type:

HTTP/1.1 404 Object Not Found
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
Date: Fri, 21 Jun 2013 22:49:44 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 41
Cache-Control: must-revalidate


Since `org.couchdb.user:def` doc is actually exists and available for direct GET request 404
response is incorrect and confuses while HTTP 403 Forbidden is expected.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message