couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From svilen ...@svilendobrev.com>
Subject Re: deleting /_users documents
Date Wed, 17 Apr 2013 12:17:06 GMT
Also, http://wiki.apache.org/couchdb/Security_Features_Overview
says nothing about deleting:

...
In addition, the _users database is now treated different from other
databases: 
 An anonymous user can only create a new document. 
 An authenticated user can only update their own document. 
 A server or database admin can access and update all documents. 
 Only admins can create design documents and access views and _all_docs and _changes. 

Some rules regarding user documents: 
 when created by a non server admin user, the "roles" attribute must be
an empty array 
 a non server admin user can only update his own user document 
 when updated by a non server admin user, the "roles" attribute must
remain unchanged 
 role names can not start with an underscore
 user names can not start with an underscore

...

svilen

On Wed, 17 Apr 2013 13:59:15 +0200
Benoit Chesneau <bchesneau@gmail.com> wrote:

> By design only admins can delete and create users documents.
> 
> BenoƮt
> On Apr 17, 2013 1:56 PM, "svilen" <az@svilendobrev.com> wrote:
> 
> > Robert Newson <rnewson@apache.org> wrote:
> > > This is the system security stuff. You can only see (and therefore
> > > update/delete) your own user document, unless you're an
> > > administrator.
> >
> > i know that. The point is, it is user's own document.
> > and authentication is provided.
> > get/update works. delete does not.
> >
> > svilen
> >
> > > On 17 April 2013 12:29, svilen <az@svilendobrev.com> wrote:
> > > > g'day
> > > > i'm on couchdb 1.2.0.
> > > > trying to delete /_users/someid?rev=.. .. and it yields 404.
> > > >
> > > > the user needs authentication.
> > > > so plain get fails:
> > > > $ curl -X GET
> > > > http://srv:5984/_users/org.couchdb.user%3AUSR
> > > >
> > > > {"error":"not_found","reason":"missing"}
> > > >
> > > > ok, add the USR:PSW auth:
> > > > $ curl -X GET
> > > > http://USR:PSW@srv
> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> > > >
> > > > {"_id":"org.couchdb.user:USR",
> > > > "_rev":"3-4b9b6c0f9733f27e6e8e6996544e9610",
> > > > "name":"USR","roles":[],"type":"user",
> > > > "password_sha":"a5325f1b518b874197c072341875794d6b10ba35"
> > > > }
> > > >
> > > > so get works.
> > > >
> > > > now delete the above:
> > > >
> > > > $ curl -vX DELETE
> > > > http://USR:PSW@server
> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> > > > * Connected to h (192.168.100.100) port 5984 (#0)
> > > > * Server auth using Basic with user 'USR'
> > > >> DELETE
> > /_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> > > >> HTTP/1.1 Authorization: Basic
> > > >> MTUwY2I5ZWUtYTMxNC00MmMyLWE2ODQtZWMzMTNhOTVlNmY3Onc=
> > > >> User-Agent: curl/7.29.0 Host: h:5984
> > > >> Accept: */*
> > > >>
> > > > < HTTP/1.1 404 Object Not Found
> > > > < Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
> > > > < Date: Wed, 17 Apr 2013 11:14:51 GMT
> > > > < Content-Type: text/plain; charset=utf-8
> > > > < Content-Length: 41
> > > > < Cache-Control: must-revalidate
> > > > <
> > > > {"error":"not_found","reason":"missing"}
> > > >
> > > > --------
> > > > other databases are deleting things fine.
> > > > any idea? is that some special treatment for /_users or what?
> > > >
> > > > ciao
> > > > svilen
> >

Mime
View raw message