Aleksander Alekseev created COUCHDB-3156: --------------------------------------------
Summary: Users could be created by anyone (missing authorization for /_users/* endpoint) Key: COUCHDB-3156 URL: https://issues.apache.org/jira/browse/COUCHDB-3156 Project: CouchDB Issue Type: Bug Components: HTTP Interface Reporter: Aleksander Alekseev Steps to reproduce: 1. Configure a 3-node cluster (not sure if it also reproduces on a single-node setup), make sure you've created an admin user: {code} curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d '"password"' {code} 2. Execute: {code} curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}' {code} Expected behavior: User should not be created since no admin username and password were provided. Actual behavior: {code} {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"} {code} Affected version: CouchDB 2.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)