couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Shorin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-1837) Incorrect HTTP response on attempt to update other user doc with public fields enabled
Date Fri, 21 Jun 2013 23:06:21 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13690869#comment-13690869
] 

Alexander Shorin commented on COUCHDB-1837:
-------------------------------------------

Actually, server had already made this information (user's doc) available to the client (with
response on GET request against the resource). Server has nothing to share in the response
of PUT one, except the decision had he accepted or rejected posted data from the client against
available (for the client) resource.
                
> Incorrect HTTP response on attempt to update other user doc with public fields enabled
> --------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1837
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1837
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Alexander Shorin
>
> When `public_fields` are specified (see [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60]
commit) and regular user tries to update other user doc, CouchDB return HTTP 404 Not Found
request while HTTP 403 Forbidden is more expected.
> Steps to reproduce:
> 1. Enable `public_fields`
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"name,email,whatever"'
-H "Content-Type: application/json" --user couch_admin  
> {code}
> 2. Setup some users
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[],
"type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[],
"type":"user", "password": "fed"}'  -H "Content-Type: application/json"  
> {code}
> 3. Now user `abc` may browse `def` doc
> {code}
> > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def              
                                        
> HTTP/1.1 200 OK
> Cache-Control: must-revalidate
> Content-Length: 88
> Content-Type: text/plain; charset=utf-8
> Date: Fri, 21 Jun 2013 22:48:03 GMT
> ETag: "1-fa20c151bb6946527d261e9ef4338923"
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"}
> {code}
> 4. Try to save `def`'s doc:
> {code}
> curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d '{}' -H "Content-Type:
application/json"          
> HTTP/1.1 404 Object Not Found
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 22:49:44 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 41
> Cache-Control: must-revalidate
> {"error":"not_found","reason":"missing"}
> {code}
> Since `org.couchdb.user:def` doc is actually exists and available for direct GET request
404 response is incorrect and confuses while HTTP 403 Forbidden is expected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message