[ 
https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514173#comment-15514173
 ] 

Alexander Shorin commented on COUCHDB-3156:
-------------------------------------------

[~afiskon]
I agree, that's a quite specific behaviour that doesn't match any else 
databases I know, but initially there were different ideas and intentions 
applied, so everyone if free to sign up. It has own pro and cons and that 
freedom is too easy to abuse in public service, thanks to our Internet culture. 

In real life it doesn't much different as once user is created, they have to 
communicate with admins in order to receive proper roles and be assigned to 
databases they need or ask to prepare some environment etc. The only difference 
happens in question of who sets the initial password and would user change 
default one. In everything else both your suggestion and current behavior are 
the same.

There is large room for improvements, like let users to reset own password 
using email without asking admins about, but that's all are improvements of 
what CouchDB has now.

> Users could be created by anyone (missing authorization for /_users/* 
> endpoint)
> -------------------------------------------------------------------------------
>
>                 Key: COUCHDB-3156
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-3156
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Aleksander Alekseev
>            Priority: Critical
>
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a 
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT 
> http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d 
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
>      -H "Accept: application/json" \
>      -H "Content-Type: application/json" \
>      -d '{"name": "afiskon", "password": "secret", "roles": [], "type": 
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were 
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to