[
https://issues.apache.org/jira/browse/COUCHDB-1838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13728605#comment-13728605
]
Jan Lehnardt commented on COUCHDB-1838:
---------------------------------------
I think the current behaviour is correct enough to ship in 1.4.0 with a big fat
warning around public_fields as it alters the semantics of _users
significantly. However if it is disabled by default and consciously enabled, I
think that’s a fair trade-off a CouchDB admin can make.
I don’t think a solution that opens all docs on _all_docs is going to be a very
good idea. If anything, we could store a flag in the by-id & by-sew indexes
(that decides whether a docs has public properties, and thus can be included.
But I think this is hairy enough to ignore for now and not thing through all
too properly.
> Specifying public_fields parameter discloses all user docs
> ----------------------------------------------------------
>
> Key: COUCHDB-1838
> URL: https://issues.apache.org/jira/browse/COUCHDB-1838
> Project: CouchDB
> Issue Type: Bug
> Reporter: Alexander Shorin
> Priority: Blocker
> Fix For: 1.4
>
>
> When public_fields are specified it's possible to retrieve all available user
> docs, no matter does they contains specified public fields or not.
> 0. Setup some users:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d
> '{"name":"abc", "roles":[], "type":"user", "password": "cba"}' -H
> "Content-Type: application/json"
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d
> '{"name":"def", "roles":[], "type":"user", "password": "fed"}' -H
> "Content-Type: application/json"
> {code}
> 1. Check the old behavior without public_fields:
> {code}
> curl -v http://abc:cba@localhost:5984/_users/_all_docs
> HTTP/1.1 403 Forbidden
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 23:12:13 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 87
> Cache-Control: must-revalidate
> {"error":"forbidden","reason":"Only admins can access _all_docs of system
> databases."}
> {code}
> 2. Specify some public fields that no one actually has:
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d
> '"no_user_will_never_has_ziz_field_in_his_doc"' -H "Content-Type:
> application/json" --user couch_admin
> {code}
> 3. Try step 1 one more time:
> {code}
> curl -v http://abc:cba@localhost:5984/_users/_all_docs
> HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
> Date: Fri, 21 Jun 2013 23:15:05 GMT
> Content-Type: text/plain; charset=utf-8
> Cache-Control: must-revalidate
> {"total_rows":6,"offset":0,"rows":[
> {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
> {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
> {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
> {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
> {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
> {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
> ]}
> {code}
> Same for anonymous user:
> {code}
> curl -v http://localhost:5984/_users/_all_docs
> HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
> Date: Sat, 22 Jun 2013 00:04:17 GMT
> Content-Type: text/plain; charset=utf-8
> Cache-Control: must-revalidate
> {"total_rows":6,"offset":0,"rows":[
> {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
> {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
> {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
> {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
> {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
> {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
> ]}
> {code}
> The problem is that with specified public_fields it's possible to retrieve
> all user's names no matter has their public field or not. This behaviour a
> bit violates implemented [System Database
> Security|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=e5503ff]:
> [CouchDB 1.2.0 release
> notes|https://blogs.apache.org/couchdb/entry/apache_couchdb_1_2_0]:
> {quote}
> Documents in the _users database can no longer be read by everyone
> Documents in the _users databases can now only be read by the respective
> authenticated user and administrators. Before, all docs were world-readable
> including their password hashes and salts.
> {quote}
> [Security Features
> Overview|http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication%20database]:
> {quote}
> In addition, the _users database is now treated different from other
> databases:
> An anonymous user can only create a new document.
> An authenticated user can only update their own document.
> A server or database admin can access and update all documents.
> Only server or database admins can create design documents and access
> views and _all_docs and _changes.
> {quote}
> Expected behaviour when `public_fields` specified:
> `_all_docs` should returns only those user docs, that are actually contains
> public fields. Users that has no such fields has nothing to publish. If user
> doc has public fields it shouldn't be mentioned in `_all_docs` response.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
