Details

    • Type: Question Question
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.2
    • Fix Version/s: None
    • Component/s: Database Core
    • Labels:
      None
    • Environment:

      Debian/testing

    • Skill Level:
      Committers Level (Medium to Hard)

      Description

      Sorry I'm coming in late on this topic, I found this while testing my existing code against 1.2.0.

      The comments for commit e5503ffef957dc5e8784c7223e318738ae79b6df indicate for `after_doc_read`:

      If the doc is a design doc and the userCtx doesn't identify
      an admin or db-admin:
      -> 403 // Forbidden

      This breaks the (previously working) case where access to the _users database is restricted using a "members" security property, and authorized users could use a couchapp found in the _users database to manager user records.

      (These power-users would have, say, "user_manager_ro" and "user_manager_rw" roles assigned to them, with the ro/rw aspect handled by a specific validate_doc_udpate() which would be part of the couchapp; the roles were entered in the _users' database members.roles security field.)

      Pointing me back to a discussion explaining the background for this new behavior would be sufficient, if it is effectively a desirable side-effect and things will remain as they are. Otherwise it seems a finer-grained logic for after_doc_read() would be able to restore the desired result, along the lines of:

      If the doc is a design doc and (there are no security members.roles and no members.names) and (the userCtx doesn't identify
      an admin or db-admin)
      -> 403 // Forbidden

      Thanks,
      S.

      PS: Overall I'm surprised the changes in that commit used new Erlang code rather than suggesting best-practices using the exisiting security features. I don't understand how hiding the design documents enhances security ("security by obscurity"), but that's beyond what I'm asking here.

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Stéphane Alnet
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development