Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 62DF9D05E for ; Fri, 27 Jul 2012 16:58:56 +0000 (UTC) Received: (qmail 67072 invoked by uid 500); 27 Jul 2012 16:58:54 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 67040 invoked by uid 500); 27 Jul 2012 16:58:54 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 67030 invoked by uid 99); 27 Jul 2012 16:58:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jul 2012 16:58:54 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [128.18.84.133] (HELO brightmail-internal4.sri.com) (128.18.84.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jul 2012 16:58:46 +0000 X-AuditID: 80125485-b7f806d000007ee4-1a-5012c8b19acc Received: from exchange-hub02.SRI.COM (exchange-hub02.SRI.COM [128.18.23.154]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by brightmail-internal4.sri.com (SRI Internal SMTP Gateway) with SMTP id 0A.2C.32484.1B8C2105; Fri, 27 Jul 2012 09:58:25 -0700 (PDT) Received: from EXCHANGE-DB09.SRI.COM ([fe80::cd39:3d94:b307:e72a]) by exchange-hub02.SRI.COM ([fe80::f097:c52f:a570:8336%12]) with mapi id 14.02.0298.004; Fri, 27 Jul 2012 09:58:17 -0700 From: Jim Klo To: "" Subject: Re: _user db security Thread-Topic: _user db security Thread-Index: AQHNbAtOQ159lNiOS0CPo6I1PJBda5c9z0wA Date: Fri, 27 Jul 2012 16:58:17 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.12.16.206] Content-Type: multipart/alternative; boundary="_000_F534DACCD56445A99076D373A2EA2AD7sricom_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDIsWRmVeSWpSXmKPExsXSICQ+S3fjCaEAg/uXRC069+xlc2D02Pjh OGMAYxSXTUpqTmZZapG+XQJXxsKv9xkL5hhWTOpbyd7AeFari5GTQ0LARGL3kjksELaYxIV7 69m6GLk4hAR2Mklse3qLHcLZxyhx4kcPWBWbgLzE4e0PmEFsEQFLiVsLPgLFOTiEBeQk5p+M ATFFgEpuT9CAqDCS+L1jPxOIzSKgKrHj2hp2EJtXwEpi7pKvYHEhgQCJ9Ue6wCZyCgRK9N6+ DGYzAt3z/dQasBpmAXGJW0/mM0HcKSCxZM95ZghbVOLl43+sELaixOcZD9gg6uMk7nauYoLY JShxcuYTlgmMIrOQjJqFpGwWkjKIuI7Egt2f2CBsbYllC18zw9hnDjyG6jWTeLC8lxlZzQJG jlWMMklFmekZJbmJmTm6sJgy0SsuytRLzs/dxAiOs5DWHYwr9hgeYhTgYFTi4e2cIxQgxJpY VlyZe4hRgoNZSYTXZgdQiDclsbIqtSg/vqg0J7X4EKM0B4uSOO83c35/IYH0xJLU7NTUgtQi mCwTB6dUA+OUUyX+PzSuKe+WX8hlsPnRTXHD5X18T+1SA45d/h7YW5DUpJzQHLqQe372r8qo +dv4puXd+OgoqFEXm3OA4VLVbe+Dd2OWPHMvnO25oD3B86BN1ctOb1YXLpO1/gYvL6pu/PIu 9bhu0PETQWwyK2e+Zil18NBkivA8LG8p2b2lwDNtL0+1qRJLcUaioRZzUXEiABlIAwCvAgAA X-Virus-Checked: Checked by ClamAV on apache.org --_000_F534DACCD56445A99076D373A2EA2AD7sricom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I believe in 1.2.0 security to _users changed. http://wiki.apache.org/couc= hdb/Breaking_changes#A_users_database authenticated users can read/update their own record only, delete is possib= le via update, not directly via delete (unless user is admin). Jim Klo Senior Software Engineer Center for Software Engineering SRI International t. @nsomnac On Jul 27, 2012, at 8:19 AM, Wordit wrote: How secure is the _user database? Futon will only give admin users access (at least on iriscouch). That's what l'm hoping because I want to conceal usernames, since they are email addresses. Is that only because Futon is accessing it in a specific way? I somehow remember in couch 1.0 that access to _users was public. Has that changed? Thanks, Marcus --_000_F534DACCD56445A99076D373A2EA2AD7sricom_--