incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From svilen ...@svilendobrev.com>
Subject Re: deleting /_users documents
Date Wed, 17 Apr 2013 16:03:10 GMT
hmm, there is already one:
https://issues.apache.org/jira/browse/COUCHDB-1502
it says "Resolved". Not sure if it's absolutely same thing or not.
maybe i should get 1.2.1 to see.

and another similar older although with different symptoms:
https://issues.apache.org/jira/browse/COUCHDB-1096

it suggests a workaround, update the doc with _deleted=true


svil


On Wed, 17 Apr 2013 13:57:30 +0100
Robert Newson <rnewson@apache.org> wrote:

> Right. Best to file a JIRA ticket.
> 
> On 17 April 2013 13:38, svilen <az@svilendobrev.com> wrote:
> > then something is eating it before that.
> > as it yields 404/notfound , not 403/forbidden
> >
> > svil
> >
> > On Wed, 17 Apr 2013 13:25:43 +0100
> > Robert Newson <rnewson@apache.org> wrote:
> >
> >> The injected validator certainly expects a user to be able to
> >> delete their own document;
> >>
> >>         if (newDoc._deleted === true) {
> >>             // allow deletes by admins and matching users
> >>             // without checking the other fields
> >>             if ((userCtx.roles.indexOf('_admin') !== -1) ||
> >>                 (userCtx.name == oldDoc.name)) {
> >>                 return;
> >>             } else {
> >>                 throw({forbidden: 'Only admins may delete other
> >> user docs.'}); }
> >>         }
> >>
> >> B.
> >>
> >> On 17 April 2013 13:17, svilen <az@svilendobrev.com> wrote:
> >> > Also, http://wiki.apache.org/couchdb/Security_Features_Overview
> >> > says nothing about deleting:
> >> >
> >> > ...
> >> > In addition, the _users database is now treated different from
> >> > other databases:
> >> >  An anonymous user can only create a new document.
> >> >  An authenticated user can only update their own document.
> >> >  A server or database admin can access and update all documents.
> >> >  Only admins can create design documents and access views and
> >> > _all_docs and _changes.
> >> >
> >> > Some rules regarding user documents:
> >> >  when created by a non server admin user, the "roles" attribute
> >> > must be an empty array
> >> >  a non server admin user can only update his own user document
> >> >  when updated by a non server admin user, the "roles" attribute
> >> > must remain unchanged
> >> >  role names can not start with an underscore
> >> >  user names can not start with an underscore
> >> >
> >> > ...
> >> >
> >> > svilen
> >> >
> >> > On Wed, 17 Apr 2013 13:59:15 +0200
> >> > Benoit Chesneau <bchesneau@gmail.com> wrote:
> >> >
> >> >> By design only admins can delete and create users documents.
> >> >>
> >> >> BenoƮt
> >> >> On Apr 17, 2013 1:56 PM, "svilen" <az@svilendobrev.com> wrote:
> >> >>
> >> >> > Robert Newson <rnewson@apache.org> wrote:
> >> >> > > This is the system security stuff. You can only see (and
> >> >> > > therefore update/delete) your own user document, unless
> >> >> > > you're an administrator.
> >> >> >
> >> >> > i know that. The point is, it is user's own document.
> >> >> > and authentication is provided.
> >> >> > get/update works. delete does not.
> >> >> >
> >> >> > svilen
> >> >> >
> >> >> > > On 17 April 2013 12:29, svilen <az@svilendobrev.com>
wrote:
> >> >> > > > g'day
> >> >> > > > i'm on couchdb 1.2.0.
> >> >> > > > trying to delete /_users/someid?rev=.. .. and it yields
> >> >> > > > 404.
> >> >> > > >
> >> >> > > > the user needs authentication.
> >> >> > > > so plain get fails:
> >> >> > > > $ curl -X GET
> >> >> > > > http://srv:5984/_users/org.couchdb.user%3AUSR
> >> >> > > >
> >> >> > > > {"error":"not_found","reason":"missing"}
> >> >> > > >
> >> >> > > > ok, add the USR:PSW auth:
> >> >> > > > $ curl -X GET
> >> >> > > > http://USR:PSW@srv
> >> >> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> >> >> > > >
> >> >> > > > {"_id":"org.couchdb.user:USR",
> >> >> > > > "_rev":"3-4b9b6c0f9733f27e6e8e6996544e9610",
> >> >> > > > "name":"USR","roles":[],"type":"user",
> >> >> > > > "password_sha":"a5325f1b518b874197c072341875794d6b10ba35"
> >> >> > > > }
> >> >> > > >
> >> >> > > > so get works.
> >> >> > > >
> >> >> > > > now delete the above:
> >> >> > > >
> >> >> > > > $ curl -vX DELETE
> >> >> > > > http://USR:PSW@server
> >> >> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> >> >> > > > * Connected to h (192.168.100.100) port 5984 (#0)
> >> >> > > > * Server auth using Basic with user 'USR'
> >> >> > > >> DELETE
> >> >> > /_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
> >> >> > > >> HTTP/1.1 Authorization: Basic
> >> >> > > >> MTUwY2I5ZWUtYTMxNC00MmMyLWE2ODQtZWMzMTNhOTVlNmY3Onc=
> >> >> > > >> User-Agent: curl/7.29.0 Host: h:5984
> >> >> > > >> Accept: */*
> >> >> > > >>
> >> >> > > > < HTTP/1.1 404 Object Not Found
> >> >> > > > < Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
> >> >> > > > < Date: Wed, 17 Apr 2013 11:14:51 GMT
> >> >> > > > < Content-Type: text/plain; charset=utf-8
> >> >> > > > < Content-Length: 41
> >> >> > > > < Cache-Control: must-revalidate
> >> >> > > > <
> >> >> > > > {"error":"not_found","reason":"missing"}
> >> >> > > >
> >> >> > > > --------
> >> >> > > > other databases are deleting things fine.
> >> >> > > > any idea? is that some special treatment for /_users
or
> >> >> > > > what?
> >> >> > > >
> >> >> > > > ciao
> >> >> > > > svilen
> >> >> >

Mime
View raw message