couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From svilen ...@svilendobrev.com>
Subject Re: deleting /_users documents
Date Wed, 17 Apr 2013 12:10:54 GMT
mmh. 
anyone can create a user document - /_users is world-writable, sort-of.
at least in 1.2.0. so why not deleting it?

or alternative, can creation of users be prohibited to anyone?

svilen

On Wed, 17 Apr 2013 13:59:15 +0200 Benoit Chesneau
<bchesneau@gmail.com> wrote:

> By design only admins can delete and create users documents.
> 
> BenoƮt
> On Apr 17, 2013 1:56 PM, "svilen" <az@svilendobrev.com> wrote:
> 
> > Robert Newson <rnewson@apache.org> wrote:
> > > This is the system security stuff. You can only see (and therefore
> > > update/delete) your own user document, unless you're an
> > > administrator.
> >
> > i know that. The point is, it is user's own document.
> > and authentication is provided.
> > get/update works. delete does not.
> >
> > svilen
> >
> > > On 17 April 2013 12:29, svilen <az@svilendobrev.com> wrote:
> > > > g'day
> > > > i'm on couchdb 1.2.0.
> > > > trying to delete /_users/someid?rev=.. .. and it yields 404.
> > > >
> > > > the user needs authentication.
> > > > so plain get fails:
> > > > $ curl -X GET
> > > > http://srv:5984/_users/org.couchdb.user%3AUSR
> > > >
> > > > {"error":"not_found","reason":"missing"}
> > > >
> > > > ok, add the USR:PSW auth:
> > > > $ curl -X GET
> > > > http://USR:PSW@srv
> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> > > >
> > > > {"_id":"org.couchdb.user:USR",
> > > > "_rev":"3-4b9b6c0f9733f27e6e8e6996544e9610",
> > > > "name":"USR","roles":[],"type":"user",
> > > > "password_sha":"a5325f1b518b874197c072341875794d6b10ba35"
> > > > }
> > > >
> > > > so get works.
> > > >
> > > > now delete the above:
> > > >
> > > > $ curl -vX DELETE
> > > > http://USR:PSW@server
> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> > > > * Connected to h (192.168.100.100) port 5984 (#0)
> > > > * Server auth using Basic with user 'USR'
> > > >> DELETE
> > /_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> > > >> HTTP/1.1 Authorization: Basic
> > > >> MTUwY2I5ZWUtYTMxNC00MmMyLWE2ODQtZWMzMTNhOTVlNmY3Onc=
> > > >> User-Agent: curl/7.29.0 Host: h:5984
> > > >> Accept: */*
> > > >>
> > > > < HTTP/1.1 404 Object Not Found
> > > > < Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
> > > > < Date: Wed, 17 Apr 2013 11:14:51 GMT
> > > > < Content-Type: text/plain; charset=utf-8
> > > > < Content-Length: 41
> > > > < Cache-Control: must-revalidate
> > > > <
> > > > {"error":"not_found","reason":"missing"}
> > > >
> > > > --------
> > > > other databases are deleting things fine.
> > > > any idea? is that some special treatment for /_users or what?
> > > >
> > > > ciao
> > > > svilen
> >

Mime
View raw message