[ 
https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514107#comment-15514107
 ] 

Alexander Shorin commented on COUCHDB-3156:
-------------------------------------------

[~afiskon]
>  It also doesn't make sense to deny everyone to create databases and 
> documents (it's what CouchDB currently does after creation of the first 
> admin) and allow to create as many users as you want.

It has. Administrators must create database first and setup it right (security, 
design docs etc) to make it ready for users. Administrators cannot create users 
instead of them because otherwise we have to solve an interesting quest as 
"what password to set by default"? Obliviously, only users themself may answer 
on that. So the simplest solution that works is allow users to register 
themselfs and ack admins to grant them permissions for specific databases. 
That's simple and how it works till today.

What you call the bug is actually major current feature improvement since user 
registration have to be happened in two steps using some middle service as 
conjunction point.

> Users could be created by anyone (missing authorization for /_users/* 
> endpoint)
> -------------------------------------------------------------------------------
>
>                 Key: COUCHDB-3156
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-3156
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Aleksander Alekseev
>            Priority: Critical
>
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a 
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT 
> http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d 
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
>      -H "Accept: application/json" \
>      -H "Content-Type: application/json" \
>      -d '{"name": "afiskon", "password": "secret", "roles": [], "type": 
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were 
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to