Cheers Robert! The problem is, I'm sending these requests from the browser, which does not allow me override the Cookie Header for security reasons.
Do you think it would make sense to switch the order? In case both authentication methods are passed, with different credentials, I don't see a usecase why Cookie should overwrite http basic, do you? But besides that, is there any other workaround you can think of? My use case is that each user has its own database. To share data, separate shared dbs do get created. I'd like to allow password protection for these using couchDB's build in security mechanisms. -- Gregor Martynus On Wednesday, 23. May 2012 at 19:33, Robert Newson wrote: > I think we check for the cookie first. Just don't send it when you > 'send a request as user2'. > > B. > > On 23 May 2012 18:27, Gregor Martynus <[email protected] > (mailto:[email protected])> wrote: > > Hey couch folks, > > > > let's say there is a database "user2", which has Readers: ["user2"] in its > > security settings. > > > > Now let's say user1 is logged in, with cookie authentication and he has the > > password of user2. Is there any way he can make an authenticated request as > > user2: `GET /user2/_all_docs` > > > > I tried it with the Authorization header, but that only works if I'm signed > > out. Once I'm signed in as a user, the Authorization headers is ignored. > > > > so Question is: when I'm logged in as user1 with cookies, can I send a > > request as user2, when I know the password? > > > > -- > > Gregor Martynus > > > > >
