You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by gi...@git.apache.org on 2017/07/04 15:49:05 UTC

[GitHub] rnewson commented on issue #475: COUCHDB-3367: Require server admin user for db/_compact and db/_view_cleanup endpoints

rnewson commented on issue #475: COUCHDB-3367: Require server admin user for db/_compact and db/_view_cleanup endpoints
URL: https://github.com/apache/couchdb/pull/475#issuecomment-312908806
 
 
   This isn't quite the right approach but I really appreciate the effort and the tests. the chttpd_auth_request.erl module controls this stuff. It's my fault, I think, that I added clustered _compact without restricting it to admins. Here's how I think it should be done;
   
   ```
   diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl
   index 90176c824..ab160ee79 100644
   --- a/src/chttpd/src/chttpd_auth_request.erl
   +++ b/src/chttpd/src/chttpd_auth_request.erl
   @@ -61,6 +61,10 @@ authorize_request_int(#httpd{path_parts=[_DbName], method='PUT'}=Req) ->
        require_admin(Req);
    authorize_request_int(#httpd{path_parts=[_DbName], method='DELETE'}=Req) ->
        require_admin(Req);
   +authorize_request_int(#httpd{path_parts=[_DbName, <<"_compact">>]}=Req) ->
   +    require_admin(Req);
   +authorize_request_int(#httpd{path_parts=[_DbName, <<"_view_cleanup">>]}=Req) ->
   +    require_admin(Req);
    authorize_request_int(#httpd{path_parts=[_DbName|_]}=Req) ->
        db_authorization_check(Req).
   ```
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services