bump
On Thu, Sep 1, 2011 at 5:41 PM, Benoit Chesneau <[email protected]> wrote: > forwarding this thread. Maybe we could make things a little more intuitive > here? > > > ---------- Forwarded message ---------- > From: Benoit Chesneau <[email protected]> > Date: Thu, Sep 1, 2011 at 3:02 PM > Subject: Re: Noob security question > To: [email protected] > > > On Thu, Sep 1, 2011 at 2:30 PM, Neil Gibbons <[email protected]> wrote: >> Hey, >> >> Posted this on stackoverflow.com too, ( >> http://stackoverflow.com/questions/7260971/couchdb-iris-couch-noob-security-question), >> which >> led me to the mailing list. >> >> Basically I've been playing with Iris Couch but have come across some >> unexpected behavior. >> I have the following _security set against a test db: >> >> {"admins":{"names":["neil"],"roles":["admin"]},"readers":{"names":["guest"],"roles":["guest"]}}. >> >> When I created a new server admin via Futon: >> >> {"_id":"org.couchdb.user:test2","_rev":"1-084965a94ea3d7a24116f33245a0ef95","name":"test2","type":"user","roles":[]} >> >> This user can read from my test db? >> >> curl -X GET http://test2:[email protected]/test >> curl -X GET http://test2:[email protected]/test/_all_docs >> >> Because neither this users name nor role appear in the _security document >> I'd expect them not to be able to be authorized? >> >> >> Neil >> > > I'm also confused. What it happen anyway is: > > - The admin created via futon, create an admin user in the ini file. > - This user have admin rights and can see/manage all the dbs > - The confusing part: a user document is also created but have empty roles. > > Imo rather we create all the users in the user db with appropriate > roles, or "super" admins shouldn't appear in it. That's worth a > discussion. > > - benoit >
