incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: DB ACLs (was Re: 0.11 Release / Feature Freeze for 1.0)
Date Tue, 16 Feb 2010 10:50:27 GMT
On Tue, Feb 09, 2010 at 07:30:37PM +0000, Brian Candler wrote:
> > couch_db:check_is_admin() should allow access in this case.
> > 
> > If you can reliably reproduce this, I'd like to fix it.
> 
> Yes, I can reliably reproduce.

I have just upgraded to latest trunk and for some reason I can't reproduce
in a fresh db, but my existing db shows it.

I added some extra debugging in check_is_admin:

diff --git a/src/couchdb/couch_db.erl b/src/couchdb/couch_db.erl
index 6d5da15..6b033f5 100644
--- a/src/couchdb/couch_db.erl
+++ b/src/couchdb/couch_db.erl
@@ -238,7 +238,9 @@ check_is_admin(#db{user_ctx=#user_ctx{name=Name,roles=Roles}}=Db) ->
     AdminRoles -> % same list, not an admin role
         case AdminNames -- [Name] of
         AdminNames -> % same names, not an admin
-            throw({unauthorized, <<"You are not a db or server admin.">>});
+            %% throw({unauthorized, <<"You are not a db or server admin.">>});
+            Msg = list_to_binary(io_lib:format("Bah. Admins=~p, AdminNames=~p, AdminRoles=~p,
Name=~p, Roles=~p", [Admins, AdminNames, AdminRoles, Name, Roles])),
+            throw({unauthorized, Msg});
         _ ->
             ok
         end;

Now this is what I see:

$ curl http://127.0.0.1:5984/briantest/_security
{"admins":{"names":["brianadmin"],"roles":[]},"readers":{"names":[],"roles":[]},"sec_obj":{"foo":"bar"}}
$ curl -X PUT -d '{}' http://brianadmin:brianadmin@127.0.0.1:5984/briantest/_design/foo
{"error":"unauthorized","reason":"Bah. Admins=[], AdminNames=[], AdminRoles=[<<\"_admin\">>],
Name=<<\"brianadmin\">>, Roles=[]"}

So whilst reading the _security document via HTTP shows "brianadmin" as an
admin name, for some reason AdminNames is empty in check_is_admin.

This seems very bizarre to me: getting _security returns SecProps, but
get_admins just picks out the "admins" member of SecProps.

Regards,

Brian.

Mime
View raw message