[
https://issues.apache.org/jira/browse/COUCHDB-1838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13712139#comment-13712139
]
Robert Newson commented on COUCHDB-1838:
----------------------------------------
We can't "replace /_users/_all_docs", unfortunately.
We do need to finish this public_fields feature very soon, the next few days,
before the 1.4 release begins on the 23rd. That means we either remove what we
have so far or find a decent compromise for the leak via _all_docs/_changes.
> Specifying public_fields parameter discloses all user docs
> ----------------------------------------------------------
>
> Key: COUCHDB-1838
> URL: https://issues.apache.org/jira/browse/COUCHDB-1838
> Project: CouchDB
> Issue Type: Bug
> Reporter: Alexander Shorin
>
> When public_fields are specified it's possible to retrieve all available user
> docs, no matter does they contains specified public fields or not.
> 0. Setup some users:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d
> '{"name":"abc", "roles":[], "type":"user", "password": "cba"}' -H
> "Content-Type: application/json"
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d
> '{"name":"def", "roles":[], "type":"user", "password": "fed"}' -H
> "Content-Type: application/json"
> {code}
> 1. Check the old behavior without public_fields:
> {code}
> curl -v http://abc:cba@localhost:5984/_users/_all_docs
> HTTP/1.1 403 Forbidden
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 23:12:13 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 87
> Cache-Control: must-revalidate
> {"error":"forbidden","reason":"Only admins can access _all_docs of system
> databases."}
> {code}
> 2. Specify some public fields that no one actually has:
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d
> '"no_user_will_never_has_ziz_field_in_his_doc"' -H "Content-Type:
> application/json" --user couch_admin
> {code}
> 3. Try step 1 one more time:
> {code}
> curl -v http://abc:cba@localhost:5984/_users/_all_docs
> HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
> Date: Fri, 21 Jun 2013 23:15:05 GMT
> Content-Type: text/plain; charset=utf-8
> Cache-Control: must-revalidate
> {"total_rows":6,"offset":0,"rows":[
> {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
> {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
> {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
> {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
> {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
> {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
> ]}
> {code}
> Same for anonymous user:
> {code}
> curl -v http://localhost:5984/_users/_all_docs
> HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
> Date: Sat, 22 Jun 2013 00:04:17 GMT
> Content-Type: text/plain; charset=utf-8
> Cache-Control: must-revalidate
> {"total_rows":6,"offset":0,"rows":[
> {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
> {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
> {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
> {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
> {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
> {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
> ]}
> {code}
> The problem is that with specified public_fields it's possible to retrieve
> all user's names no matter has their public field or not. This behaviour a
> bit violates implemented [System Database
> Security|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=e5503ff]:
> [CouchDB 1.2.0 release
> notes|https://blogs.apache.org/couchdb/entry/apache_couchdb_1_2_0]:
> {quote}
> Documents in the _users database can no longer be read by everyone
> Documents in the _users databases can now only be read by the respective
> authenticated user and administrators. Before, all docs were world-readable
> including their password hashes and salts.
> {quote}
> [Security Features
> Overview|http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication%20database]:
> {quote}
> In addition, the _users database is now treated different from other
> databases:
> An anonymous user can only create a new document.
> An authenticated user can only update their own document.
> A server or database admin can access and update all documents.
> Only server or database admins can create design documents and access
> views and _all_docs and _changes.
> {quote}
> Expected behaviour when `public_fields` specified:
> `_all_docs` should returns only those user docs, that are actually contains
> public fields. Users that has no such fields has nothing to publish. If user
> doc has public fields it shouldn't be mentioned in `_all_docs` response.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
