Hi,
Are members of the admins and readers lists supposed to be able to
execute saved views? I can't get this to work using the 0.11.x git
branch, although accessing individual docs works as I expect. I will
happily provide more information if need be. I'm very new to CouchDB and
may simply be missing something, so please bear with me.
Steps to reproduce.
Start with clean CouchDB install.
Signup two users. The first ("astraw") is an admin user, and the second
("strawman") has no privs. (Side note: the Definitive Guide chapter 22
does not correspond with 0.11.x behavior. Specifically, the POST to
_session with username and password no longer returns a working
AuthSession cookie.)
Create a db as admin:
curl -X PUT http://astraw:abc...@localhost:5984/cooldb
Add a document:
curl -X PUT http://localhost:5984/cooldb/doc1 -d '{"title":"This is
document 1"}'
And I add a design document:
curl -X PUT http://astraw:[email protected]:5984/cooldb/_design/example
-d \
'{"_id":"_design/example","views":{"foo":{"map":"function(doc){emit(doc._id,doc._rev)}"}}}'
I can execute the view:
curl
http://strawman:[email protected]:5984/cooldb/_design/example/_view/foo
{"total_rows":1,"offset":0,"rows":[
{"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
]}
Now I enable turn on security by adding strawman to the reader list.
curl -X PUT http://astraw:abc...@localhost:5984/cooldb/_security \
-d
'{"admins":{"names":[],"roles":[]},"readers":{"names":["strawman"],"roles":[]}}'
OK, so now anonymous reads are forbidden, which is expected:
curl http://localhost:5984/cooldb/doc1
{"error":"unauthorized","reason":"You are not authorized to access this
db."}
and authorized reads are OK, which is also as expected:
curl http://strawman:[email protected]:5984/cooldb/doc1
{"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
is document 1"}
same with reads from the _admin user:
curl http://astraw:[email protected]:5984/cooldb/doc1
{"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
is document 1"}
So far, so good. But now, I can't execute the view, even as admin:
curl http://astraw:[email protected]:5984/cooldb/_design/example/_view/foo
{"error":"unauthorized","reason":"You are not authorized to access this
db."}
If I delete the _security, I can see the view again, even anonymously:
curl -X PUT http://astraw:abc...@localhost:5984/cooldb/_security -d
'{"admins":{"names":[],"roles":[]},"readers":{"names":[],"roles":[]}}'
curl http://127.0.0.1:5984/cooldb/_design/example/_view/foo
{"total_rows":1,"offset":0,"rows":[
{"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
]}
-Andrew
