[
https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13690869#comment-13690869
]
Alexander Shorin commented on COUCHDB-1837:
-------------------------------------------
Actually, server had already made this information (user's doc) available to
the client (with response on GET request against the resource). Server has
nothing to share in the response of PUT one, except the decision had he
accepted or rejected posted data from the client against available (for the
client) resource.
> Incorrect HTTP response on attempt to update other user doc with public
> fields enabled
> --------------------------------------------------------------------------------------
>
> Key: COUCHDB-1837
> URL: https://issues.apache.org/jira/browse/COUCHDB-1837
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Reporter: Alexander Shorin
>
> When `public_fields` are specified (see
> [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60]
> commit) and regular user tries to update other user doc, CouchDB return HTTP
> 404 Not Found request while HTTP 403 Forbidden is more expected.
> Steps to reproduce:
> 1. Enable `public_fields`
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d
> '"name,email,whatever"' -H "Content-Type: application/json" --user
> couch_admin
> {code}
> 2. Setup some users
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d
> '{"name":"abc", "roles":[], "type":"user", "password": "cba"}' -H
> "Content-Type: application/json"
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d
> '{"name":"def", "roles":[], "type":"user", "password": "fed"}' -H
> "Content-Type: application/json"
> {code}
> 3. Now user `abc` may browse `def` doc
> {code}
> > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def
> >
> HTTP/1.1 200 OK
> Cache-Control: must-revalidate
> Content-Length: 88
> Content-Type: text/plain; charset=utf-8
> Date: Fri, 21 Jun 2013 22:48:03 GMT
> ETag: "1-fa20c151bb6946527d261e9ef4338923"
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"}
> {code}
> 4. Try to save `def`'s doc:
> {code}
> curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d
> '{}' -H "Content-Type: application/json"
> HTTP/1.1 404 Object Not Found
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 22:49:44 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 41
> Cache-Control: must-revalidate
> {"error":"not_found","reason":"missing"}
> {code}
> Since `org.couchdb.user:def` doc is actually exists and available for direct
> GET request 404 response is incorrect and confuses while HTTP 403 Forbidden
> is expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
