incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregor Martynus <gre...@martynus.net>
Subject Re: authentication: signed in as user1 (cookie), but sending request as user2?
Date Wed, 23 May 2012 17:51:02 GMT
Cheers Robert!

The problem is, I'm sending these requests from the browser, which does not allow me override
the Cookie Header for security reasons.

Do you think it would make sense to switch the order? In case both authentication methods
are passed, with different credentials, I don't see a usecase why Cookie should overwrite
http basic, do you?

But besides that, is there any other workaround you can think of?

My use case is that each user has its own database. To share data, separate shared dbs do
get created. I'd like to allow password protection for these using couchDB's build in security
mechanisms. 

-- 
Gregor Martynus


On Wednesday, 23. May 2012 at 19:33, Robert Newson wrote:

> I think we check for the cookie first. Just don't send it when you
> 'send a request as user2'.
> 
> B.
> 
> On 23 May 2012 18:27, Gregor Martynus <gregor@martynus.net (mailto:gregor@martynus.net)>
wrote:
> > Hey couch folks,
> > 
> > let's say there is a database "user2", which has Readers: ["user2"] in its security
settings.
> > 
> > Now let's say user1 is logged in, with cookie authentication and he has the password
of user2. Is there any way he can make an authenticated request as user2: `GET /user2/_all_docs`
> > 
> > I tried it with the Authorization header, but that only works if I'm signed out.
Once I'm signed in as a user, the Authorization headers is ignored.
> > 
> > so Question is: when I'm logged in as user1 with cookies, can I send a request as
user2, when I know the password?
> > 
> > --
> > Gregor Martynus
> > 
> 
> 
> 



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message