[COUCHDB-3156] Users could be created by anyone (missing authorization for /_users/* endpoint) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: HTTP Interface
Labels:
None

Description

Steps to reproduce:

1. Configure a 3-node cluster (not sure if it also reproduces on a single-node setup), make sure you've created an admin user:

curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d '"password"'

2. Execute:

curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
     -H "Accept: application/json" \
     -H "Content-Type: application/json" \
     -d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}'

Expected behavior:

{"error":"unauthorized","reason":"You are not a server admin."}

( User should not be created since no admin username and password were provided. )

Actual behavior:

{"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}

Affected version:

CouchDB 2.0

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Aleksander Alekseev

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Sep/16 16:20

Updated:: 02/Sep/18 07:06

Resolved:: 02/Sep/18 07:06