Aleksander Alekseev created COUCHDB-3156:

             Summary: Users could be created by anyone (missing authorization 
for /_users/* endpoint)
                 Key: COUCHDB-3156
             Project: CouchDB
          Issue Type: Bug
          Components: HTTP Interface
            Reporter: Aleksander Alekseev

Steps to reproduce:

1. Configure a 3-node cluster (not sure if it also reproduces on a single-node 
setup), make sure you've created an admin user:

curl -X PUT 
-d '"password"'

2. Execute:

curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
     -H "Accept: application/json" \
     -H "Content-Type: application/json" \
     -d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}'

Expected behavior:

User should not be created since no admin username and password were provided.

Actual behavior:


Affected version:

CouchDB 2.0

This message was sent by Atlassian JIRA

Reply via email to