You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Alexander Shorin (JIRA)" <ji...@apache.org> on 2013/06/22 00:56:19 UTC

[jira] [Created] (COUCHDB-1837) Incorrect HTTP response on attempt to update other user doc with public fields enabled

Alexander Shorin created COUCHDB-1837:
-----------------------------------------

             Summary: Incorrect HTTP response on attempt to update other user doc with public fields enabled
                 Key: COUCHDB-1837
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1837
             Project: CouchDB
          Issue Type: Bug
          Components: HTTP Interface
            Reporter: Alexander Shorin


When `public_fields` are specified (see [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60] commit) and regular user tries to update other user doc, CouchDB return HTTP 404 Not Found request while HTTP 403 Forbidden is more expected.

Steps to reproduce:

1. Enable `public_fields`

{code}
curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"name,email,whatever"' -H "Content-Type: application/json" --user couch_admin  
{code}

2. Setup some users

{code}
curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[], "type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[], "type":"user", "password": "fed"}'  -H "Content-Type: application/json"  
{code}

3. Now user `abc` may browse `def` doc

{code}
> curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def                                                       

HTTP/1.1 200 OK
Cache-Control: must-revalidate
Content-Length: 88
Content-Type: text/plain; charset=utf-8
Date: Fri, 21 Jun 2013 22:48:03 GMT
ETag: "1-fa20c151bb6946527d261e9ef4338923"
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)

{"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"}
{code}

4. Try to save `def`'s doc:

{code}
curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d '{}' -H "Content-Type: application/json"          

HTTP/1.1 404 Object Not Found
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
Date: Fri, 21 Jun 2013 22:49:44 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 41
Cache-Control: must-revalidate

{"error":"not_found","reason":"missing"}
{code}

Since `org.couchdb.user:def` doc is actually exists and available for direct GET request 404 response is incorrect and confuses while HTTP 403 Forbidden is expected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira