incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: authentication: signed in as user1 (cookie), but sending request as user2?
Date Wed, 23 May 2012 19:06:14 GMT
That sounds ok as a workaround, but what you're doing, obviously, is
sending authentication details for two different users. You can't
depend on every couchdb server evaluating them in an order that lets
you get away with that.

I don't understand your assertion that you can't control the requests
you send from the browser. I thought this was simple to do with ajax?
I mean, you're clearly able to add the basic Authorization header, so
why aren't you able to not send the Cookie header?

B.

On 23 May 2012 19:33, Gregor Martynus <gregor@martynus.net> wrote:
> I might have found the answer to my question:
>
> There is a setting: httpd.authentication_handlers. By default it says:
> {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, cookie_authentication_handler},
{couch_httpd_auth, default_authentication_handler}
>
> putting cookie_authentication_handler at the and makes it work for me
> {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, default_authentication_handler},
{couch_httpd_auth, cookie_authentication_handler}
>
> Any downsides you can think of when I'm changing this setting?
>
> --
> Gregor Martynus
>
>
> On Wednesday, 23. May 2012 at 19:27, Gregor Martynus wrote:
>
>> Hey couch folks,
>>
>> let's say there is a database "user2", which has Readers: ["user2"] in its security
settings.
>>
>> Now let's say user1 is logged in, with cookie authentication and he has the password
of user2. Is there any way he can make an authenticated request as user2: `GET /user2/_all_docs`
>>
>> I tried it with the Authorization header, but that only works if I'm signed out.
Once I'm signed in as a user, the Authorization headers is ignored.
>>
>> so Question is: when I'm logged in as user1 with cookies, can I send a request as
user2, when I know the password?
>>
>> --
>> Gregor Martynus
>>
>

Mime
View raw message