[ 
https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514030#comment-15514030
 ] 

Alexander Shorin commented on COUCHDB-3156:
-------------------------------------------

Vote for closing as Won't Fix or reclassify into Feature request.

Regular users can be created by anyone. That's behaviour since very first 
CouchDB releases when you can sign up and do the stuff. 

The behaviour you want to achieve was always controlled by 
[couch_httpd_auth/require_valid_user|http://docs.couchdb.org/en/latest/config/auth.html#couch_httpd_auth/require_valid_user]
 option which eventually require you to login first to be able call any CouchDB 
API. So, initially, only admins can create users. Other users may register else 
users. No users may set custom roles to bypass database role-based security.

However, there indeed could be setup when only admins should create users. Say, 
some public service with restricted membership. Then, it's all about special 
option that controls _users auth level.

Correct me if I get you wrong.

> Users could be created by anyone (missing authorization for /_users/* 
> endpoint)
> -------------------------------------------------------------------------------
>
>                 Key: COUCHDB-3156
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-3156
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Aleksander Alekseev
>            Priority: Critical
>
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a 
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT 
> http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d 
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
>      -H "Accept: application/json" \
>      -H "Content-Type: application/json" \
>      -d '{"name": "afiskon", "password": "secret", "roles": [], "type": 
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were 
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to