[
https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514137#comment-15514137
]
Aleksander Alekseev commented on COUCHDB-3156:
----------------------------------------------
[~kxepal] very well, but in this case it should be documented in 1.6.2. And I
propose to use <strong> tag since It's a very unexpected behavior. In other
databases (e.g. PostgreSQL) or say all *nix system administrator create users
and then users change a password (or not).
> Users could be created by anyone (missing authorization for /_users/*
> endpoint)
> -------------------------------------------------------------------------------
>
> Key: COUCHDB-3156
> URL: https://issues.apache.org/jira/browse/COUCHDB-3156
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Reporter: Aleksander Alekseev
> Priority: Critical
>
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT
> http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
> -H "Accept: application/json" \
> -H "Content-Type: application/json" \
> -d '{"name": "afiskon", "password": "secret", "roles": [], "type":
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
