[
https://issues.apache.org/jira/browse/COUCHDB-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564159#comment-13564159
]
Jason Smith commented on COUCHDB-1656:
--------------------------------------
Only admins can edit design documents, but all users can read them. There is
nothing in databases which are only visible to admins, so far. As a RESTful web
service, if Couch lets me read /some_db then it also lets me read /some_db/*.
If only admins can see _security, that would be the first time in CouchDB
history (depending how you count system DBs) where I can read a database but
not some parts inside it.
I like the patch too, but this is a big change to the security model. I'd just
like to think this through carefully. With this patch, I could set
_security = {admins:..., members:..., ok_role:"some_role"}
and validate_doc_update =
function(newDoc, oldDoc, userCtx, secObj) {
var has_the_role = ~userCtx.roles.indexOf(secObj.ok_role)
return has_the_role
}
This is just restating my point that, with this patch, there are more secrets
to think about in the security system. Used to be, the _user document was the
secret. Nothing else. Now we have more secrets which interact in some complex
way.
As a minor point, if we *do* take this patch, and if people *do* write
validators that depend on this feature, then the validation function will leak
information about _security. People can try variations on document data and
user accounts (couch still lets you "sign up" without limitation) and learn
some things about _security. This is a theoretical secrecy leak but it's worth
identifying.
> Anonymous Users and Non-Admins Can Read the Security Object
> -----------------------------------------------------------
>
> Key: COUCHDB-1656
> URL: https://issues.apache.org/jira/browse/COUCHDB-1656
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Reporter: Klaus Trainer
> Attachments:
> 0001-Don-t-give-non-admins-read-access-to-db-_security.patch
>
>
> It is possible that anonymous users are able to read a DB's security object
> if the security object's `members` array is empty or missing. Also, it is
> generally possible for authenticated members (non-admin users) to read the
> security object.
> Only admin users should be allowed to read the security object.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
