m90 opened a new issue #3084: URL: https://github.com/apache/couchdb/issues/3084
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ ) ## Description As per https://docs.couchdb.org/en/stable/intro/security.html#users-documents and https://github.com/apache/couchdb/issues/1556#issuecomment-412817741 I would expect a non-admin user to be able to GET their own user doc. However, when I try to do this on a one-off CouchDB 3.1.0 it does not work that way unless I modify the `_security` doc of the `_users` db to be empty (which is probably not what I want to do). More specifically, this behavior currently prevents us from upgrading a set of tests that worked in 2.3.1, but are now breaking in 3.1.0. [NOTE]: # ( Describe the problem you're encountering. ) [TIP]: # ( Do NOT give us access or passwords to your actual CouchDB! ) ## Steps to Reproduce [NOTE]: # ( Include commands to reproduce, if possible. curl is preferred. ) This can be reproduced by creating a new user doc, a session for that user and then trying to read the user doc on a one-off 3.1.0 Docker container: ``` ➜ ~ docker run -p 5984:5984 -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=admin -d couchdb:3.1.0 a51152ea5dfbb5d8f96a72bbdbc0e9d9f95d6d5ba0ba3fe8c0f6f6486875bbc0 ➜ ~ curl -X PUT http://admin:admin@localhost:5984/_users {"ok":true} ➜ ~ curl -X PUT http://admin:admin@localhost:5984/_replicator {"ok":true} ➜ ~ curl -X POST -H 'Content-Type: application/json' -d '{"name":"test","password":"test","type":"user","roles":["test"],"_id":"org.couchdb.user:test"}' http://admin:admin@localhost:5984/_users {"ok":true,"id":"org.couchdb.user:test","rev":"1-e5d96edaaa2e4ba876a0bdf60444f603"} ➜ ~ curl -i -X POST -H 'Content-Type: application/json' -d '{"name":"test","password":"test"}' http://localhost:5984/_session HTTP/1.1 200 OK Cache-Control: must-revalidate Content-Length: 43 Content-Type: application/json Date: Tue, 18 Aug 2020 14:30:54 GMT Server: CouchDB/3.1.0 (Erlang OTP/20) Set-Cookie: AuthSession=dGVzdDo1RjNCRTYxRTr0TOgq9qRqg5NQDqH_sby0efn3Rw; Version=1; Expires=Tue, 18-Aug-2020 14:40:54 GMT; Max-Age=600; Path=/; HttpOnly {"ok":true,"name":"test","roles":["test"]} ➜ ~ curl -H 'Cookie: AuthSession=dGVzdDo1RjNCRTYxRTr0TOgq9qRqg5NQDqH_sby0efn3Rw' http://localhost:5984/_users/org.couchdb.user:test {"error":"forbidden","reason":"You are not allowed to access this db."} ``` ## Expected Behaviour [NOTE]: # ( Tell us what you expected to happen. ) I would expect this work just like when I use admin credentials: ``` ➜ ~ curl -i -X POST -H 'Content-Type: application/json' -d '{"name":"admin","password":"admin"}' http://localhost:5984/_session HTTP/1.1 200 OK Cache-Control: must-revalidate Content-Length: 46 Content-Type: application/json Date: Tue, 18 Aug 2020 14:31:29 GMT Server: CouchDB/3.1.0 (Erlang OTP/20) Set-Cookie: AuthSession=YWRtaW46NUYzQkU2NDI6FskvoWjZP6jrAyxVn80GzaK7RdY; Version=1; Expires=Tue, 18-Aug-2020 14:41:30 GMT; Max-Age=600; Path=/; HttpOnly {"ok":true,"name":"admin","roles":["_admin"]} ➜ ~ curl -H 'Cookie: AuthSession=YWRtaW46NUYzQkU2NDI6FskvoWjZP6jrAyxVn80GzaK7RdY' http://localhost:5984/_users/org.couchdb.user:test {"_id":"org.couchdb.user:test","_rev":"1-e5d96edaaa2e4ba876a0bdf60444f603","name":"test","type":"user","roles":["test"],"password_scheme":"pbkdf2","iterations":10,"derived_key":"7457722cc6e0715012e97ec0aae7d8b91698ce7f","salt":"547a57d1693cfd6a84703ddfcf10a31c"} ``` ## Your Environment [TIP]: # ( Include as many relevant details about your environment as possible. ) [TIP]: # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. ) * CouchDB version used: 3.1.0 * Browser name and version: n/a * Operating system and version: Ubuntu 18 / Docker 19.03.12 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
