couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: DB ACLs (was Re: 0.11 Release / Feature Freeze for 1.0)
Date Wed, 03 Feb 2010 21:42:18 GMT
One last thing on _reader behaviour.

If you try to access a database as a non-admin user, but don't have _reader
rights, I think you should get a 404 back which is indistinguisable from
"database does not exist".  Otherwise, you have an obvious way to probe for
database names, and if databases are named after customers, this is
information leak.

As a non-admin you never *need* to know whether it exists or not, since you
wouldn't have rights to create it anyway.

Regards,

Brian.

Mime
View raw message