rnewson commented on issue #475: COUCHDB-3367: Require server admin user for db/_compact and db/_view_cleanup endpoints URL: https://github.com/apache/couchdb/pull/475#issuecomment-312908806 This isn't quite the right approach but I really appreciate the effort and the tests. the chttpd_auth_request.erl module controls this stuff. It's my fault, I think, that I added clustered _compact without restricting it to admins. Here's how I think it should be done; ``` diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl index 90176c824..ab160ee79 100644 --- a/src/chttpd/src/chttpd_auth_request.erl +++ b/src/chttpd/src/chttpd_auth_request.erl @@ -61,6 +61,10 @@ authorize_request_int(#httpd{path_parts=[_DbName], method='PUT'}=Req) -> require_admin(Req); authorize_request_int(#httpd{path_parts=[_DbName], method='DELETE'}=Req) -> require_admin(Req); +authorize_request_int(#httpd{path_parts=[_DbName, <<"_compact">>]}=Req) -> + require_admin(Req); +authorize_request_int(#httpd{path_parts=[_DbName, <<"_view_cleanup">>]}=Req) -> + require_admin(Req); authorize_request_int(#httpd{path_parts=[_DbName|_]}=Req) -> db_authorization_check(Req). ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
With regards, Apache Git Services
