Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5DF2E10789 for ; Thu, 29 May 2014 22:46:03 +0000 (UTC) Received: (qmail 6678 invoked by uid 500); 29 May 2014 22:46:03 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 6621 invoked by uid 500); 29 May 2014 22:46:03 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 6612 invoked by uid 99); 29 May 2014 22:46:03 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 May 2014 22:46:03 +0000 Date: Thu, 29 May 2014 22:46:03 +0000 (UTC) From: "Andy Wenk (JIRA)" To: dev@couchdb.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (COUCHDB-1837) Incorrect HTTP response on attempt to update other user doc with public fields enabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14013042#comment-14013042 ] Andy Wenk commented on COUCHDB-1837: ------------------------------------ +1 > Incorrect HTTP response on attempt to update other user doc with public fields enabled > -------------------------------------------------------------------------------------- > > Key: COUCHDB-1837 > URL: https://issues.apache.org/jira/browse/COUCHDB-1837 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface > Reporter: Alexander Shorin > Priority: Blocker > Fix For: 1.6.0 > > > When `public_fields` are specified (see [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60] commit) and regular user tries to update other user doc, CouchDB return HTTP 404 Not Found request while HTTP 403 Forbidden is more expected. > Steps to reproduce: > 1. Enable `public_fields` > {code} > curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"name,email,whatever"' -H "Content-Type: application/json" --user couch_admin > {code} > 2. Setup some users > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[], "type":"user", "password": "cba"}' -H "Content-Type: application/json" > curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[], "type":"user", "password": "fed"}' -H "Content-Type: application/json" > {code} > 3. Now user `abc` may browse `def` doc > {code} > > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def > HTTP/1.1 200 OK > Cache-Control: must-revalidate > Content-Length: 88 > Content-Type: text/plain; charset=utf-8 > Date: Fri, 21 Jun 2013 22:48:03 GMT > ETag: "1-fa20c151bb6946527d261e9ef4338923" > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"} > {code} > 4. Try to save `def`'s doc: > {code} > curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d '{}' -H "Content-Type: application/json" > HTTP/1.1 404 Object Not Found > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > Date: Fri, 21 Jun 2013 22:49:44 GMT > Content-Type: text/plain; charset=utf-8 > Content-Length: 41 > Cache-Control: must-revalidate > {"error":"not_found","reason":"missing"} > {code} > Since `org.couchdb.user:def` doc is actually exists and available for direct GET request 404 response is incorrect and confuses while HTTP 403 Forbidden is expected. -- This message was sent by Atlassian JIRA (v6.2#6252)