Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5A53F200D06 for ; Mon, 25 Sep 2017 12:46:00 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 591061609C4; Mon, 25 Sep 2017 10:46:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9DCDB1609BB for ; Mon, 25 Sep 2017 12:45:59 +0200 (CEST) Received: (qmail 85863 invoked by uid 500); 25 Sep 2017 10:45:58 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 85851 invoked by uid 99); 25 Sep 2017 10:45:58 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Sep 2017 10:45:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B3914DBD11 for ; Mon, 25 Sep 2017 10:45:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.151 X-Spam-Level: X-Spam-Status: No, score=-0.151 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id Nht31XY-KgUt for ; Mon, 25 Sep 2017 10:45:55 +0000 (UTC) Received: from mail-wr0-f169.google.com (mail-wr0-f169.google.com [209.85.128.169]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id A135F60E35 for ; Mon, 25 Sep 2017 10:45:52 +0000 (UTC) Received: by mail-wr0-f169.google.com with SMTP id g29so6964906wrg.11 for ; Mon, 25 Sep 2017 03:45:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=6eec394ES9ghPN5U3FyS+Cl7B7+SrfKaVKk3wrv02Xk=; b=WLVqCL5gc49htrGLD7RtED86GdF6tFu2uuDownQZ8KacApxLO5VdCTbAOqSgCMQoaC NfX5ezMUBKQbuLr7VT8Guq1LOd5hpV1Y+GwdNnyaivb/ZvCbzBwgj9Fk1rksg4ZG9A2z dPS/cwrDhwrPJI9q3vBLhQK9+jdj4QRQi3Vz+ghBbzmCuop4+tAwSOoWCsFA3JJuuyLX jiNY6j0X9Pj/1tSIKojBE+MmJFCm+up4RQoF07041THzjdaRCYqlTrHnUXVGp27YJGSc jCsseES53KF3j5yI/whdvMhUrdfxYZddxLf375M/S8BAK1IJtKmBuN19juCkFJqV3pGk wBLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=6eec394ES9ghPN5U3FyS+Cl7B7+SrfKaVKk3wrv02Xk=; b=cBUhNe1Uq9l7VkoV9nJFXIKRCetO2/He+WeEbv7VCY6dw0NKP7bmyr4fe3tRRZWXpM L4rN4bRzdUfKYjWcW1rvtGFSmNlZnLuhZEkYUqmh9ga30kEjvtQQHGpAqszBCOBWT7ha DUQwSERb9iN/KcwzPv/TKfeB76LHkuf0YNPq8XWBg18HMmWZ2QQ09QrrprzkKxnEtwnC qaDacIvrDcrZKgsdJLKZUHM7q9rlaWo2GhibWB4G/1QwDT4Vh2Jxcm/HfI9BurczmC75 sKSJ26CoUNo7ww5cPW+7YavmAglQWXVezwjaoj86srHosRqLuXLs06AGlVhKZvgxyC6a EV6A== X-Gm-Message-State: AHPjjUgnxFgqCLlZGBTptp7KjkuYKm6FWY78TqmID0q5/UCTQVZJk/g/ kP8KVsIE1gzF8RdLhw7oV4aIIKRIGq4Nr3CGQA== X-Google-Smtp-Source: AOwi7QAtY5pGQz3G5jISk/AvA9VIYfeGfzNpejile6k2mQibif8tpxUscrxUAx39PWgzJ7aXoEf6WYWRvt5G43ffVsY= X-Received: by 10.223.154.120 with SMTP id z111mr5485707wrb.260.1506336351152; Mon, 25 Sep 2017 03:45:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.182.153 with HTTP; Mon, 25 Sep 2017 03:45:50 -0700 (PDT) Received: by 10.223.182.153 with HTTP; Mon, 25 Sep 2017 03:45:50 -0700 (PDT) In-Reply-To: References: From: max Date: Mon, 25 Sep 2017 12:45:50 +0200 Message-ID: Subject: Re: User with _users admin Permissions cannot delete document To: user@couchdb.apache.org Content-Type: multipart/alternative; boundary="f403045f4c001f6fa7055a0143d7" archived-at: Mon, 25 Sep 2017 10:46:00 -0000 --f403045f4c001f6fa7055a0143d7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thank you. I'm gonna create a user admin and I'll use it from local service exposed to the web with classic CouchDB auth. Last question about 2.1, in fauxton I couldn't find a way to navigate through document revisions (like the '' previous version '' button in 1.6.1). Is it still possible ? Le 25 sept. 2017 11:31 AM, "Jan Lehnardt" a =C3=A9crit : > Stefan is correct that this is expected behaviour, but I=E2=80=99d reject= the > notion that > it is in any way recommended to not use the CouchDB user system. All you > need to > do is have a CouchDB admin user do the _users edits. > > Of course you can build your own system on top, but I wouldn=E2=80=99t re= commend > that. > > Best > Jan > -- > > > On 23. Sep 2017, at 15:17, max wrote: > > > > Thank you for your answers I'll try with simple web services layer. > > > > Le 23 sept. 2017 3:14 PM, "Stefan du Fresne" a > > =C3=A9crit : > > > >> None that I know of no. Ideally it would just work, but I think editin= g > >> permissions for _users is effectively deprecated at this point. > >> > >> Really the only thing you can do is write a security layer yourself, > >> either by wrapping CouchDB and converting those calls (after checking > your > >> own security) to be done by an admin user, or provide a separate API > etc. > >> > >> Stefan > >>> On 23 Sep 2017, at 13:40, max wrote: > >>> > >>> Thanks, > >>> > >>> Any workaround from configuration ? I would like to avoid making mor= e > >>> couchdb admin... > >>> > >>> Le 23 sept. 2017 1:08 PM, "Stefan du Fresne" > a > >>> =C3=A9crit : > >>> > >>>> This is currently how it works yeah. > >>>> > >>>> I believe the current recommendation for user management is to > >> effectively > >>>> ignore the permissions matrix in the _users database and instead wra= p > >>>> CouchDB in your own permissions management. > >>>> > >>>> Stefan > >>>>> On 22 Sep 2017, at 17:36, max wrote: > >>>>> > >>>>> Hi, > >>>>> > >>>>> I'm trying CouchDB 2.1 and facing an (strange?) issue. I have given > >>>>> admin access through "Permissions" to "user1" and every user with t= he > >>>>> role "manager". This allowed these users to call view from _design = in > >>>>> _users database. But this is not enough to delete other users, to d= o > >>>>> that user have to be a super CouchDB Admin. Is this the expected > >>>>> behavior? I got "Only admins may delete other user docs" whereas he > is > >>>>> admin. > >>>>> > >>>>> This is my _users database permissions: > >>>>> > >>>>> {"error":"unauthorized","reason":"Authentication > >>>>> required.","admins":{"names":["user1"],"roles":["manager"]}} > >>>>> > >>>>> > >>>>> Regards, > >>>>> > >>>>> Max. > >>>> > >>>> > >> > >> > > -- > Professional Support for Apache CouchDB: > https://neighbourhood.ie/couchdb-support/ > > --f403045f4c001f6fa7055a0143d7--