On Tue, Feb 09, 2010 at 07:30:37PM +0000, Brian Candler wrote:
> > couch_db:check_is_admin() should allow access in this case.
> >
> > If you can reliably reproduce this, I'd like to fix it.
>
> Yes, I can reliably reproduce.
I have just upgraded to latest trunk and for some reason I can't reproduce
in a fresh db, but my existing db shows it.
I added some extra debugging in check_is_admin:
diff --git a/src/couchdb/couch_db.erl b/src/couchdb/couch_db.erl
index 6d5da15..6b033f5 100644
--- a/src/couchdb/couch_db.erl
+++ b/src/couchdb/couch_db.erl
@@ -238,7 +238,9 @@
check_is_admin(#db{user_ctx=#user_ctx{name=Name,roles=Roles}}=Db) ->
AdminRoles -> % same list, not an admin role
case AdminNames -- [Name] of
AdminNames -> % same names, not an admin
- throw({unauthorized, <<"You are not a db or server admin.">>});
+ %% throw({unauthorized, <<"You are not a db or server admin.">>});
+ Msg = list_to_binary(io_lib:format("Bah. Admins=~p, AdminNames=~p,
AdminRoles=~p, Name=~p, Roles=~p", [Admins, AdminNames, AdminRoles, Name,
Roles])),
+ throw({unauthorized, Msg});
_ ->
ok
end;
Now this is what I see:
$ curl http://127.0.0.1:5984/briantest/_security
{"admins":{"names":["brianadmin"],"roles":[]},"readers":{"names":[],"roles":[]},"sec_obj":{"foo":"bar"}}
$ curl -X PUT -d '{}'
http://brianadmin:[email protected]:5984/briantest/_design/foo
{"error":"unauthorized","reason":"Bah. Admins=[], AdminNames=[],
AdminRoles=[<<\"_admin\">>], Name=<<\"brianadmin\">>, Roles=[]"}
So whilst reading the _security document via HTTP shows "brianadmin" as an
admin name, for some reason AdminNames is empty in check_is_admin.
This seems very bizarre to me: getting _security returns SecProps, but
get_admins just picks out the "admins" member of SecProps.
Regards,
Brian.
