incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: deleting /_users documents
Date Wed, 17 Apr 2013 12:15:08 GMT
On Wed, Apr 17, 2013 at 2:10 PM, svilen <az@svilendobrev.com> wrote:
> mmh.
> anyone can create a user document - /_users is world-writable, sort-of.
> at least in 1.2.0. so why not deleting it?

Odd. maybe it's only for the replicator db then. I don't see any real
reason to forbid user deletion if anyone can create a doc... Though
Imo only the admin should be able to create such doc currently.

- benoIt

>
> or alternative, can creation of users be prohibited to anyone?
>
> svilen
>
> On Wed, 17 Apr 2013 13:59:15 +0200 Benoit Chesneau
> <bchesneau@gmail.com> wrote:
>
>> By design only admins can delete and create users documents.
>>
>> BenoƮt
>> On Apr 17, 2013 1:56 PM, "svilen" <az@svilendobrev.com> wrote:
>>
>> > Robert Newson <rnewson@apache.org> wrote:
>> > > This is the system security stuff. You can only see (and therefore
>> > > update/delete) your own user document, unless you're an
>> > > administrator.
>> >
>> > i know that. The point is, it is user's own document.
>> > and authentication is provided.
>> > get/update works. delete does not.
>> >
>> > svilen
>> >
>> > > On 17 April 2013 12:29, svilen <az@svilendobrev.com> wrote:
>> > > > g'day
>> > > > i'm on couchdb 1.2.0.
>> > > > trying to delete /_users/someid?rev=.. .. and it yields 404.
>> > > >
>> > > > the user needs authentication.
>> > > > so plain get fails:
>> > > > $ curl -X GET
>> > > > http://srv:5984/_users/org.couchdb.user%3AUSR
>> > > >
>> > > > {"error":"not_found","reason":"missing"}
>> > > >
>> > > > ok, add the USR:PSW auth:
>> > > > $ curl -X GET
>> > > > http://USR:PSW@srv
>> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
>> > > >
>> > > > {"_id":"org.couchdb.user:USR",
>> > > > "_rev":"3-4b9b6c0f9733f27e6e8e6996544e9610",
>> > > > "name":"USR","roles":[],"type":"user",
>> > > > "password_sha":"a5325f1b518b874197c072341875794d6b10ba35"
>> > > > }
>> > > >
>> > > > so get works.
>> > > >
>> > > > now delete the above:
>> > > >
>> > > > $ curl -vX DELETE
>> > > > http://USR:PSW@server
>> > :5984/_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
>> > > > * Connected to h (192.168.100.100) port 5984 (#0)
>> > > > * Server auth using Basic with user 'USR'
>> > > >> DELETE
>> > /_users/org.couchdb.user%3AUSR?rev=3-4b9b6c0f9733f27e6e8e6996544e9610
>> > > >> HTTP/1.1 Authorization: Basic
>> > > >> MTUwY2I5ZWUtYTMxNC00MmMyLWE2ODQtZWMzMTNhOTVlNmY3Onc=
>> > > >> User-Agent: curl/7.29.0 Host: h:5984
>> > > >> Accept: */*
>> > > >>
>> > > > < HTTP/1.1 404 Object Not Found
>> > > > < Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
>> > > > < Date: Wed, 17 Apr 2013 11:14:51 GMT
>> > > > < Content-Type: text/plain; charset=utf-8
>> > > > < Content-Length: 41
>> > > > < Cache-Control: must-revalidate
>> > > > <
>> > > > {"error":"not_found","reason":"missing"}
>> > > >
>> > > > --------
>> > > > other databases are deleting things fine.
>> > > > any idea? is that some special treatment for /_users or what?
>> > > >
>> > > > ciao
>> > > > svilen
>> >

Mime
View raw message