couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: deleting /_users documents
Date Wed, 17 Apr 2013 12:57:30 GMT
Right. Best to file a JIRA ticket.

On 17 April 2013 13:38, svilen <az@svilendobrev.com> wrote:
> then something is eating it before that.
> as it yields 404/notfound , not 403/forbidden
>
> svil
>
> On Wed, 17 Apr 2013 13:25:43 +0100
> Robert Newson <rnewson@apache.org> wrote:
>
>> The injected validator certainly expects a user to be able to delete
>> their own document;
>>
>>         if (newDoc._deleted === true) {
>>             // allow deletes by admins and matching users
>>             // without checking the other fields
>>             if ((userCtx.roles.indexOf('_admin') !== -1) ||
>>                 (userCtx.name == oldDoc.name)) {
>>                 return;
>>             } else {
>>                 throw({forbidden: 'Only admins may delete other user
>> docs.'}); }
>>         }
>>
>> B.
>>
>> On 17 April 2013 13:17, svilen <az@svilendobrev.com> wrote:
>> > Also, http://wiki.apache.org/couchdb/Security_Features_Overview
>> > says nothing about deleting:
>> >
>> > ...
>> > In addition, the _users database is now treated different from other
>> > databases:
>> >  An anonymous user can only create a new document.
>> >  An authenticated user can only update their own document.
>> >  A server or database admin can access and update all documents.
>> >  Only admins can create design documents and access views and
>> > _all_docs and _changes.
>> >
>> > Some rules regarding user documents:
>> >  when created by a non server admin user, the "roles" attribute
>> > must be an empty array
>> >  a non server admin user can only update his own user document
>> >  when updated by a non server admin user, the "roles" attribute must
>> > remain unchanged
>> >  role names can not start with an underscore
>> >  user names can not start with an underscore
>> >
>> > ...
>> >
>> > svilen
>> >
>> > On Wed, 17 Apr 2013 13:59:15 +0200
>> > Benoit Chesneau <bchesneau@gmail.com> wrote:
>> >
>> >> By design only admins can delete and create users documents.
>> >>
>> >> BenoƮt
>> >> On Apr 17, 2013 1:56 PM, "svilen" <az@svilendobrev.com> wrote:
>> >>
>> >> > Robert Newson <rnewson@apache.org> wrote:
>> >> > > This is the system security stuff. You can only see (and
>> >> > > therefore update/delete) your own user document, unless you're
>> >> > > an administrator.
>> >> >
>> >> > i know that. The point is, it is user's own document.
>> >> > and authentication is provided.
>> >> > get/update works. delete does not.
>> >> >
>> >> > svilen
>> >> >
>> >> > > On 17 April 2013 12:29, svilen <az@svilendobrev.com> wrote:
>> >> > > > g'day
>> >> > > > i'm on couchdb 1.2.0.
>> >> > > > trying to delete /_users/someid?rev=.. .. and it yields 404.
>> >> > > >
>> >> > > > the user needs authentication.
>> >> > > > so plain get fails:
>> >> > > > $ curl -X GET
>> >> > > > http://srv:5984/_users/org.couchdb.user%3AUSR
>> >> > > >
>> >> > > > {"error":"not_found","reason":"missing"}
>> >> > > >
>> >> > > > ok, add the USR:PSW auth:
>> >> > > > $ curl -X GET
>> >> > > > http://USR:PSW@srv
>> >> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
>> >> > > >
>> >> > > > {"_id":"org.couchdb.user:USR",
>> >> > > > "_rev":"3-4b9b6c0f9733f27e6e8e6996544e9610",
>> >> > > > "name":"USR","roles":[],"type":"user",
>> >> > > > "password_sha":"a5325f1b518b874197c072341875794d6b10ba35"
>> >> > > > }
>> >> > > >
>> >> > > > so get works.
>> >> > > >
>> >> > > > now delete the above:
>> >> > > >
>> >> > > > $ curl -vX DELETE
>> >> > > > http://USR:PSW@server
>> >> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
>> >> > > > * Connected to h (192.168.100.100) port 5984 (#0)
>> >> > > > * Server auth using Basic with user 'USR'
>> >> > > >> DELETE
>> >> > /_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
>> >> > > >> HTTP/1.1 Authorization: Basic
>> >> > > >> MTUwY2I5ZWUtYTMxNC00MmMyLWE2ODQtZWMzMTNhOTVlNmY3Onc=
>> >> > > >> User-Agent: curl/7.29.0 Host: h:5984
>> >> > > >> Accept: */*
>> >> > > >>
>> >> > > > < HTTP/1.1 404 Object Not Found
>> >> > > > < Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
>> >> > > > < Date: Wed, 17 Apr 2013 11:14:51 GMT
>> >> > > > < Content-Type: text/plain; charset=utf-8
>> >> > > > < Content-Length: 41
>> >> > > > < Cache-Control: must-revalidate
>> >> > > > <
>> >> > > > {"error":"not_found","reason":"missing"}
>> >> > > >
>> >> > > > --------
>> >> > > > other databases are deleting things fine.
>> >> > > > any idea? is that some special treatment for /_users or what?
>> >> > > >
>> >> > > > ciao
>> >> > > > svilen
>> >> >

Mime
View raw message