incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From svilen ...@svilendobrev.com>
Subject Re: deleting /_users documents
Date Wed, 17 Apr 2013 12:38:56 GMT
then something is eating it before that. 
as it yields 404/notfound , not 403/forbidden

svil

On Wed, 17 Apr 2013 13:25:43 +0100
Robert Newson <rnewson@apache.org> wrote:

> The injected validator certainly expects a user to be able to delete
> their own document;
> 
>         if (newDoc._deleted === true) {
>             // allow deletes by admins and matching users
>             // without checking the other fields
>             if ((userCtx.roles.indexOf('_admin') !== -1) ||
>                 (userCtx.name == oldDoc.name)) {
>                 return;
>             } else {
>                 throw({forbidden: 'Only admins may delete other user
> docs.'}); }
>         }
> 
> B.
> 
> On 17 April 2013 13:17, svilen <az@svilendobrev.com> wrote:
> > Also, http://wiki.apache.org/couchdb/Security_Features_Overview
> > says nothing about deleting:
> >
> > ...
> > In addition, the _users database is now treated different from other
> > databases:
> >  An anonymous user can only create a new document.
> >  An authenticated user can only update their own document.
> >  A server or database admin can access and update all documents.
> >  Only admins can create design documents and access views and
> > _all_docs and _changes.
> >
> > Some rules regarding user documents:
> >  when created by a non server admin user, the "roles" attribute
> > must be an empty array
> >  a non server admin user can only update his own user document
> >  when updated by a non server admin user, the "roles" attribute must
> > remain unchanged
> >  role names can not start with an underscore
> >  user names can not start with an underscore
> >
> > ...
> >
> > svilen
> >
> > On Wed, 17 Apr 2013 13:59:15 +0200
> > Benoit Chesneau <bchesneau@gmail.com> wrote:
> >
> >> By design only admins can delete and create users documents.
> >>
> >> BenoƮt
> >> On Apr 17, 2013 1:56 PM, "svilen" <az@svilendobrev.com> wrote:
> >>
> >> > Robert Newson <rnewson@apache.org> wrote:
> >> > > This is the system security stuff. You can only see (and
> >> > > therefore update/delete) your own user document, unless you're
> >> > > an administrator.
> >> >
> >> > i know that. The point is, it is user's own document.
> >> > and authentication is provided.
> >> > get/update works. delete does not.
> >> >
> >> > svilen
> >> >
> >> > > On 17 April 2013 12:29, svilen <az@svilendobrev.com> wrote:
> >> > > > g'day
> >> > > > i'm on couchdb 1.2.0.
> >> > > > trying to delete /_users/someid?rev=.. .. and it yields 404.
> >> > > >
> >> > > > the user needs authentication.
> >> > > > so plain get fails:
> >> > > > $ curl -X GET
> >> > > > http://srv:5984/_users/org.couchdb.user%3AUSR
> >> > > >
> >> > > > {"error":"not_found","reason":"missing"}
> >> > > >
> >> > > > ok, add the USR:PSW auth:
> >> > > > $ curl -X GET
> >> > > > http://USR:PSW@srv
> >> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> >> > > >
> >> > > > {"_id":"org.couchdb.user:USR",
> >> > > > "_rev":"3-4b9b6c0f9733f27e6e8e6996544e9610",
> >> > > > "name":"USR","roles":[],"type":"user",
> >> > > > "password_sha":"a5325f1b518b874197c072341875794d6b10ba35"
> >> > > > }
> >> > > >
> >> > > > so get works.
> >> > > >
> >> > > > now delete the above:
> >> > > >
> >> > > > $ curl -vX DELETE
> >> > > > http://USR:PSW@server
> >> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> >> > > > * Connected to h (192.168.100.100) port 5984 (#0)
> >> > > > * Server auth using Basic with user 'USR'
> >> > > >> DELETE
> >> > /_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> >> > > >> HTTP/1.1 Authorization: Basic
> >> > > >> MTUwY2I5ZWUtYTMxNC00MmMyLWE2ODQtZWMzMTNhOTVlNmY3Onc=
> >> > > >> User-Agent: curl/7.29.0 Host: h:5984
> >> > > >> Accept: */*
> >> > > >>
> >> > > > < HTTP/1.1 404 Object Not Found
> >> > > > < Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
> >> > > > < Date: Wed, 17 Apr 2013 11:14:51 GMT
> >> > > > < Content-Type: text/plain; charset=utf-8
> >> > > > < Content-Length: 41
> >> > > > < Cache-Control: must-revalidate
> >> > > > <
> >> > > > {"error":"not_found","reason":"missing"}
> >> > > >
> >> > > > --------
> >> > > > other databases are deleting things fine.
> >> > > > any idea? is that some special treatment for /_users or what?
> >> > > >
> >> > > > ciao
> >> > > > svilen
> >> >

Mime
View raw message