incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: authentication: signed in as user1 (cookie), but sending request as user2?
Date Wed, 23 May 2012 17:33:08 GMT
I think we check for the cookie first. Just don't send it when you
'send a request as user2'.

B.

On 23 May 2012 18:27, Gregor Martynus <gregor@martynus.net> wrote:
> Hey couch folks,
>
> let's say there is a database "user2", which has Readers: ["user2"] in its security settings.
>
> Now let's say user1 is logged in, with cookie authentication and he has the password
of user2. Is there any way he can make an authenticated request as user2: `GET /user2/_all_docs`
>
> I tried it with the Authorization header, but that only works if I'm signed out. Once
I'm signed in as a user, the Authorization headers is ignored.
>
> so Question is: when I'm logged in as user1 with cookies, can I send a request as user2,
when I know the password?
>
> --
> Gregor Martynus
>

Mime
View raw message