couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-1837) Incorrect HTTP response on attempt to update other user doc with public fields enabled
Date Fri, 21 Jun 2013 22:58:20 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13690862#comment-13690862
] 

Robert Newson commented on COUCHDB-1837:
----------------------------------------

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help
and the request SHOULD NOT be repeated. If the request method was not HEAD and the server
wishes to make public why the request has not been fulfilled, it SHOULD describe the reason
for the refusal in the entity. If the server does not wish to make this information available
to the client, the status code 404 (Not Found) can be used instead.

                
> Incorrect HTTP response on attempt to update other user doc with public fields enabled
> --------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1837
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1837
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Alexander Shorin
>
> When `public_fields` are specified (see [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60]
commit) and regular user tries to update other user doc, CouchDB return HTTP 404 Not Found
request while HTTP 403 Forbidden is more expected.
> Steps to reproduce:
> 1. Enable `public_fields`
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"name,email,whatever"'
-H "Content-Type: application/json" --user couch_admin  
> {code}
> 2. Setup some users
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[],
"type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[],
"type":"user", "password": "fed"}'  -H "Content-Type: application/json"  
> {code}
> 3. Now user `abc` may browse `def` doc
> {code}
> > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def              
                                        
> HTTP/1.1 200 OK
> Cache-Control: must-revalidate
> Content-Length: 88
> Content-Type: text/plain; charset=utf-8
> Date: Fri, 21 Jun 2013 22:48:03 GMT
> ETag: "1-fa20c151bb6946527d261e9ef4338923"
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"}
> {code}
> 4. Try to save `def`'s doc:
> {code}
> curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d '{}' -H "Content-Type:
application/json"          
> HTTP/1.1 404 Object Not Found
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 22:49:44 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 41
> Cache-Control: must-revalidate
> {"error":"not_found","reason":"missing"}
> {code}
> Since `org.couchdb.user:def` doc is actually exists and available for direct GET request
404 response is incorrect and confuses while HTTP 403 Forbidden is expected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message