couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Shorin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (COUCHDB-2534) Return forbidden error when authed user tries to access database it doesn't allowed
Date Tue, 06 Jan 2015 02:08:35 GMT
Alexander Shorin created COUCHDB-2534:
-----------------------------------------

             Summary: Return forbidden error when authed user tries to access database it
doesn't allowed
                 Key: COUCHDB-2534
                 URL: https://issues.apache.org/jira/browse/COUCHDB-2534
             Project: CouchDB
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: Database Core
            Reporter: Alexander Shorin


This also cases annoying behaviour when `require_valid_user` set as `true`. Steps to reproduce:
1. Fix admin party
2. Create some user
3. Create some database
4. Setup members for those database excluding access for your user
5. Set `require_valid_user=true`
6. Login as the user and open up futon

During databases list rendering Futon requests every database for the info about num of docs,
db size etc. When it hits database which don't has a current user in members, CouchDB returns
401 unauthorized error, even if you are. This error comes to httpd error handler and according
`require_valid_user` setting CouchDB send WWW-Authenticate header in response back to browser
- this happens only for unauthorized errors. Browser sees that header and shows modal dialog
to let end-user specify credentials in order to access some unnamed resource. And so happens
for every database. 

If you have hundred ones and user has access only to some single one using futon/fauxton turns
into nightmare.

The error origin from couch_db:check_is_member/1 which doesn't care about if user is already
auth'ed counting everyone as not in case if they are not members.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message