Alexander Shorin created COUCHDB-2534:
-----------------------------------------
Summary: Return forbidden error when authed user tries to access
database it doesn't allowed
Key: COUCHDB-2534
URL: https://issues.apache.org/jira/browse/COUCHDB-2534
Project: CouchDB
Issue Type: Bug
Security Level: public (Regular issues)
Components: Database Core
Reporter: Alexander Shorin
This also cases annoying behaviour when `require_valid_user` set as `true`.
Steps to reproduce:
1. Fix admin party
2. Create some user
3. Create some database
4. Setup members for those database excluding access for your user
5. Set `require_valid_user=true`
6. Login as the user and open up futon
During databases list rendering Futon requests every database for the info
about num of docs, db size etc. When it hits database which don't has a current
user in members, CouchDB returns 401 unauthorized error, even if you are. This
error comes to httpd error handler and according `require_valid_user` setting
CouchDB send WWW-Authenticate header in response back to browser - this happens
only for unauthorized errors. Browser sees that header and shows modal dialog
to let end-user specify credentials in order to access some unnamed resource.
And so happens for every database.
If you have hundred ones and user has access only to some single one using
futon/fauxton turns into nightmare.
The error origin from couch_db:check_is_member/1 which doesn't care about if
user is already auth'ed counting everyone as not in case if they are not
members.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
