Aleksander Alekseev created COUCHDB-3156:
--------------------------------------------
Summary: Users could be created by anyone (missing authorization
for /_users/* endpoint)
Key: COUCHDB-3156
URL: https://issues.apache.org/jira/browse/COUCHDB-3156
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Reporter: Aleksander Alekseev
Steps to reproduce:
1. Configure a 3-node cluster (not sure if it also reproduces on a single-node
setup), make sure you've created an admin user:
{code}
curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin
-d '"password"'
{code}
2. Execute:
{code}
curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}'
{code}
Expected behavior:
User should not be created since no admin username and password were provided.
Actual behavior:
{code}
{"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
{code}
Affected version:
CouchDB 2.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
