Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-3156

Users could be created by anyone (missing authorization for /_users/* endpoint)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Labels:
      None

      Description

      Steps to reproduce:

      1. Configure a 3-node cluster (not sure if it also reproduces on a single-node setup), make sure you've created an admin user:

      curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d '"password"'
      

      2. Execute:

      curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
           -H "Accept: application/json" \
           -H "Content-Type: application/json" \
           -d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}'
      

      Expected behavior:

      {"error":"unauthorized","reason":"You are not a server admin."}
      

      ( User should not be created since no admin username and password were provided. )

      Actual behavior:

      {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
      

      Affected version:

      CouchDB 2.0

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              afiskon Aleksander Alekseev
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: