You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/08/18 14:38:05 UTC

[GitHub] [couchdb] m90 opened a new issue #3084: Non-Admin users are unable to read their own user doc in 3.1.0

m90 opened a new issue #3084:
URL: https://github.com/apache/couchdb/issues/3084


   [NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
   
   ## Description
   
   As per https://docs.couchdb.org/en/stable/intro/security.html#users-documents and https://github.com/apache/couchdb/issues/1556#issuecomment-412817741 I would expect a non-admin user to be able to GET their own user doc. However, when I try to do this on a one-off CouchDB 3.1.0 it does not work that way unless I modify the `_security` doc of the `_users` db to be empty (which is probably not what I want to do).
   
   More specifically, this behavior currently prevents us from upgrading a set of tests that worked in 2.3.1, but are now breaking in 3.1.0.
   
   [NOTE]: # ( Describe the problem you're encountering. )
   [TIP]:  # ( Do NOT give us access or passwords to your actual CouchDB! )
   
   ## Steps to Reproduce
   
   [NOTE]: # ( Include commands to reproduce, if possible. curl is preferred. )
   
   This can be reproduced by creating a new user doc, a session for that user and then trying to read the user doc on a one-off 3.1.0 Docker container:
   
   ```
   ➜  ~ docker run -p 5984:5984 -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=admin -d couchdb:3.1.0
   a51152ea5dfbb5d8f96a72bbdbc0e9d9f95d6d5ba0ba3fe8c0f6f6486875bbc0
   ➜  ~ curl -X PUT http://admin:admin@localhost:5984/_users
   {"ok":true}
   ➜  ~ curl -X PUT http://admin:admin@localhost:5984/_replicator
   {"ok":true}
   ➜  ~ curl -X POST -H 'Content-Type: application/json' -d '{"name":"test","password":"test","type":"user","roles":["test"],"_id":"org.couchdb.user:test"}' http://admin:admin@localhost:5984/_users
   {"ok":true,"id":"org.couchdb.user:test","rev":"1-e5d96edaaa2e4ba876a0bdf60444f603"}
   ➜  ~ curl -i -X POST -H 'Content-Type: application/json' -d '{"name":"test","password":"test"}' http://localhost:5984/_session                                                                    
   HTTP/1.1 200 OK
   Cache-Control: must-revalidate
   Content-Length: 43
   Content-Type: application/json
   Date: Tue, 18 Aug 2020 14:30:54 GMT
   Server: CouchDB/3.1.0 (Erlang OTP/20)
   Set-Cookie: AuthSession=dGVzdDo1RjNCRTYxRTr0TOgq9qRqg5NQDqH_sby0efn3Rw; Version=1; Expires=Tue, 18-Aug-2020 14:40:54 GMT; Max-Age=600; Path=/; HttpOnly
   
   {"ok":true,"name":"test","roles":["test"]}
   ➜  ~ curl -H 'Cookie: AuthSession=dGVzdDo1RjNCRTYxRTr0TOgq9qRqg5NQDqH_sby0efn3Rw' http://localhost:5984/_users/org.couchdb.user:test
   {"error":"forbidden","reason":"You are not allowed to access this db."}
   ```
   ## Expected Behaviour
   
   [NOTE]: # ( Tell us what you expected to happen. )
   
   I would expect this work just like when I use admin credentials:
   
   ```
   ➜  ~ curl -i -X POST -H 'Content-Type: application/json' -d '{"name":"admin","password":"admin"}' http://localhost:5984/_session
   HTTP/1.1 200 OK
   Cache-Control: must-revalidate
   Content-Length: 46
   Content-Type: application/json
   Date: Tue, 18 Aug 2020 14:31:29 GMT
   Server: CouchDB/3.1.0 (Erlang OTP/20)
   Set-Cookie: AuthSession=YWRtaW46NUYzQkU2NDI6FskvoWjZP6jrAyxVn80GzaK7RdY; Version=1; Expires=Tue, 18-Aug-2020 14:41:30 GMT; Max-Age=600; Path=/; HttpOnly
   
   {"ok":true,"name":"admin","roles":["_admin"]}
   ➜  ~ curl -H 'Cookie: AuthSession=YWRtaW46NUYzQkU2NDI6FskvoWjZP6jrAyxVn80GzaK7RdY' http://localhost:5984/_users/org.couchdb.user:test
   {"_id":"org.couchdb.user:test","_rev":"1-e5d96edaaa2e4ba876a0bdf60444f603","name":"test","type":"user","roles":["test"],"password_scheme":"pbkdf2","iterations":10,"derived_key":"7457722cc6e0715012e97ec0aae7d8b91698ce7f","salt":"547a57d1693cfd6a84703ddfcf10a31c"}
   ```
   
   ## Your Environment
   
   [TIP]:  # ( Include as many relevant details about your environment as possible. )
   [TIP]:  # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. )
   
   * CouchDB version used: 3.1.0
   * Browser name and version: n/a
   * Operating system and version: Ubuntu 18 / Docker 19.03.12


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] wohali commented on issue #3084: Non-Admin users are unable to read their own user doc in 3.1.0

Posted by GitBox <gi...@apache.org>.

wohali commented on issue #3084:
URL: https://github.com/apache/couchdb/issues/3084#issuecomment-675546485


   No problem.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] wohali closed issue #3084: Non-Admin users are unable to read their own user doc in 3.1.0

Posted by GitBox <gi...@apache.org>.

wohali closed issue #3084:
URL: https://github.com/apache/couchdb/issues/3084


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] m90 commented on issue #3084: Non-Admin users are unable to read their own user doc in 3.1.0

Posted by GitBox <gi...@apache.org>.

m90 commented on issue #3084:
URL: https://github.com/apache/couchdb/issues/3084#issuecomment-675519635


   This is likely a duplicate of https://github.com/apache/couchdb/issues/2881


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] m90 edited a comment on issue #3084: Non-Admin users are unable to read their own user doc in 3.1.0

Posted by GitBox <gi...@apache.org>.

m90 edited a comment on issue #3084:
URL: https://github.com/apache/couchdb/issues/3084#issuecomment-675519635


   This is likely a duplicate of https://github.com/apache/couchdb/issues/2881 and can be closed again. Sorry for the noise.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org