incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: passwords
Date Tue, 23 Apr 2013 14:29:14 GMT
_deleted:true is exactly the same as DELETE to couchdb. It's curious
we block one and not the other, so I guess that's just a mistake. The
injected ddoc specifically allows a user to delete their own document.

        if (newDoc._deleted === true) {
            // allow deletes by admins and matching users
            // without checking the other fields
            if ((userCtx.roles.indexOf('_admin') !== -1) ||
                (userCtx.name == oldDoc.name)) {
                return;
            } else {
                throw({forbidden: 'Only admins may delete other user docs.'});
            }
        }


Also this is no longer on topic. :D

B.

On 23 April 2013 15:25, svilen <az@svilendobrev.com> wrote:
> ah.
> i'll be updating the userdoc with _deleted=true then, it does all the
> job including showing as delete in _changes. well, yet another
> workaround.
>
> ciao
> svilen
>
> On Tue, 23 Apr 2013 10:00:20 -0400
> Mike West <mw@data.io> wrote:
>
>> +1 as a security feature, not a bug.
>>
>> Mike
>>
>>
>> On Tue, Apr 23, 2013 at 9:26 AM, Robert Newson <rnewson@apache.org>
>> wrote:
>>
>> > svilen,
>> >
>> > I don't think that's considered a bug, though. Admins can delete
>> > users, users can't delete themselves. We can certainly debate that,
>> > but I think our position is that this is intentional.
>> >
>> > I'm also backporting the configure.ac fix as it makes it hard to
>> > run my tests.
>> >
>> > B.
>> >
>> > On 23 April 2013 14:19, svilen <az@svilendobrev.com> wrote:
>> > > the one of user unable to DELETE itself, from the other day..
>> > > don't know if it has been fixed or not.
>> > >
>> > > On Tue, 23 Apr 2013 14:14:23 +0100
>> > > Noah Slater <nslater@apache.org> wrote:
>> > >
>> > >> Any other bugs while we're at it. I'll be sending out a formal
>> > >> request tonight for people to do merges. But may as well mention
>> > >> it now.
>> > >>
>> > >>
>> > >> On 23 April 2013 14:11, Robert Newson <rnewson@apache.org> wrote:
>> > >>
>> > >> > good thought.
>> > >> >
>> > >> > On 23 April 2013 14:07, Noah Slater <nslater@apache.org>
wrote:
>> > >> > > Can we put this into one or more of the bugfixes branches?
>> > >> > >
>> > >> > >
>> > >> > > On 23 April 2013 14:02, Robert Newson <rnewson@apache.org>
>> > >> > > wrote:
>> > >> > >
>> > >> > >> I believe the fix for this is 5d4ef930 which is on master
>> > >> > >> (which will be 1.4) only.
>> > >> > >>
>> > >> > >> specifically;
>> > >> > >>
>> > >> > >> -        [Name, Pass] = re:split(NamePass, ":", [{return,
>> > >> > >> list}]),
>> > >> > >> +        [Name, Pass] = re:split(NamePass, ":", [{return,
>> > >> > >> list}, {parts, 2}]),
>> > >> > >>
>> > >> > >> B.
>> > >> > >>
>> > >> > >>
>> > >> > >>
>> > >> > >>
>> > >> > >> On 23 April 2013 13:59, Robert Newson <rnewson@apache.org>
>> > >> > >> wrote:
>> > >> > >> > Ah, that's a great distinction, rings a bell!
>> > >> > >> >
>> > >> > >> > On 23 April 2013 13:39, Dave Cottlehuber
>> > >> > >> > <dch@jsonified.com> wrote:
>> > >> > >> >> On 23 April 2013 13:15, svilen <az@svilendobrev.com>
>> > >> > >> >> wrote:
>> > >> > >> >>> g'day
>> > >> > >> >>>
>> > >> > >> >>> i am trying to set a user with a password
that is not
>> > >> > >> >>> just
>> > >> > >> alphanumeric.
>> > >> > >> >>> e.g. "b:@" (or if uri-encoded, b%3A%40)
>> > >> > >> >>>
>> > >> > >> >>> but the result of getting the /_users/ doc
is always
>> > >> > 401-unauthorized.
>> > >> > >> >>>
>> > >> > >> >>> if i login in Futon, it seems to work.
>> > >> > >> >>> when i compute the pasword_sha myself and
compare to
>> > >> > >> >>> whats in
>> > >> > user/doc,
>> > >> > >> >>> it matches.
>> > >> > >> >>>
>> > >> > >> >>> but http via basic authentication won't
let me in.
>> > >> > >> >>> e.g.
>> > >> > >> >>> curl -vX GET
>> > >> > >> >>> http://auser:b%3A%40@server
>> > :5984/_users/org.couchdb.user%3Aauser
>> > >> > >> >>>
>> > >> > >> >>> (seems the subject is very tricky and rarely
paid
>> > >> > >> >>> attention to in various http libraries i
looked
>> > >> > >> >>> recently. Everyone just lumps the usr+":"+psw
and
>> > >> > >> >>> uri-encoding/decoding is left out..)
>> > >> > >> >>
>> > >> > >> >> Hi Svilen,
>> > >> > >> >>
>> > >> > >> >> From curl, you can:
>> > >> > >> >>
>> > >> > >> >> curl -vX GET $COUCH -u tricky:p@sswd
>> > >> > >> >>
>> > >> > >> >> and leaving off the password field allows you
to enter it
>> > >> > >> >> manually or even echo ':p@sswd' | curl …
>> > >> > >> >>
>> > >> > >> >> or if you're POSTing I think you can also use
this:
>> > >> > >> >> http://curl.haxx.se/docs/manpage.html#--data-urlencode
>> > >> > >> >>
>> > >> > >> >> curl -d name=john --data-urlencode passwd=@31&3*J
>> > >> > >> https://www.mysite.com
>> > >> > >> >>
>> > >> > >> >> Anyway AFAICT there's a bug in CouchDB if the
password
>> > >> > >> >> starts with a
>> > >> > `:`
>> > >> > >> >>
>> > >> > >> >> $COUCH=http://admin:pwd@localhost:5984
>> > >> > >> >>
>> > >> > >> >> curl -HContent-Type:application/json \
>> > >> > >> >>   -vXPUT $COUCH/_users/org.couchdb.user:mrtricky
\
>> > >> > >> >>   --data-binary '{"_id":
>> > >> > >> >> "org.couchdb.user:mrtricky","name": "mrtricky","roles":
>> > >> > >> >> [],"type": "user","password": ":pwd"}'
>> > >> > >> >>
>> > >> > >> >> I would expect that I can subsequently use either
curl or
>> > >> > >> >> httpie.org
>> > >> > ,
>> > >> > >> >> neither of them succeed with -u mrtricky::pwd
or -u
>> > >> > >> >> mrtricky &
>> > >> > getting
>> > >> > >> >> password from terminal.
>> > >> > >> >>
>> > >> > >> >> A+
>> > >> > >> >> Dave
>> > >> > >>
>> > >> > >
>> > >> > >
>> > >> > >
>> > >> > > --
>> > >> > > NS
>> > >> >
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> NS
>> >

Mime
View raw message