deleting own user account

[Gregor Martynus <gr...@martynus.net>]

I'm quite sure that this worked before, but doesn't seem to work anymore. 

Let's say I have a user account "test" and am signed in as "test".
The _rev number of users/org.couchdb.user:test is '1-234'

Shouldn't I be able to delete my own account with
DELETE /users/org.couchdb.user:test?rev=1-234
?

I get a 404 response, but am still signed in as test

The same happens when I try to PUT the document with _deleted: true ...

Any idea? 

-- 
Gregor

Re: deleting own user account

[Robert Newson <rn...@apache.org>]

Yeah, this looks like a bug/regression caused by the system db security patch (e5503ffef957dc5e8784c7223e318738ae79b6df)

The userCtx name is compared to the "name" field inside the document to be updated. In the case of a deletion, it has no such field, so the test fails. Thus, a user cannot delete their own account. They are supposed to be able to, so this is a bug. Please file a JIRA ticket.

b.

On 22 Jun 2012, at 16:35, Gregor Martynus wrote:

> Can anybody confirm that when signed in as a user, I cannot DELETE my own _users doc? It's simple to test in futon. 
> Is this a feature, or a bug?
> 
> I tested it on couchDB 1.2 myself. 
> 
> -- 
> Gregor Martynus
> 
> 
> On Wednesday, 20. June 2012 at 19:35, Gregor Martynus wrote:
> 
>> Robert, I get a 200 when I GET the same path. When I'm signed in as "test" in futon and delete my own /_users doc, I get a 404 as well. Is that not the case for you?
>> 
>> I'm on couchDB 1.2, tested locally and on IrisCouch 
>> 
>> -- 
>> Gregor Martynus
>> 
>> 
>> On Wednesday, 20. June 2012 at 18:45, Robert Newson wrote:
>> 
>>> 
>>> Do you get a 200 when you GET that same doc id? I suspect you get a 404. If so, check you have the right id, perhaps you need to escape some fields. Better, try deleting it from Futon which handles the escaping for you.
>>> 
>>> If you're deleting an admin user, then you need to modify your .ini files (preferably via /_config/admins) instead.
>>> 
>>> B.
>>> 
>>> On 20 Jun 2012, at 17:28, Gregor Martynus wrote:
>>> 
>>>> I'm quite sure that this worked before, but doesn't seem to work anymore. 
>>>> 
>>>> Let's say I have a user account "test" and am signed in as "test".
>>>> The _rev number of users/org.couchdb.user:test is '1-234'
>>>> 
>>>> Shouldn't I be able to delete my own account with
>>>> DELETE /users/org.couchdb.user:test?rev=1-234
>>>> ?
>>>> 
>>>> I get a 404 response, but am still signed in as test
>>>> 
>>>> The same happens when I try to PUT the document with _deleted: true ...
>>>> 
>>>> Any idea? 
>>>> 
>>>> -- 
>>>> Gregor
>>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 

Re: deleting own user account

[Robert Newson <rn...@apache.org>]

I can confirm the behavior. Once I find the code in question I can tell you if it's intentional, but I don't think it is. In this case, we should be returning a 4xx telling you that you can't delete yourself, or allow it. So, if it's intentional, it's quite confusingly implemented.

B.

On 22 Jun 2012, at 16:35, Gregor Martynus wrote:

> Can anybody confirm that when signed in as a user, I cannot DELETE my own _users doc? It's simple to test in futon. 
> Is this a feature, or a bug?
> 
> I tested it on couchDB 1.2 myself. 
> 
> -- 
> Gregor Martynus
> 
> 
> On Wednesday, 20. June 2012 at 19:35, Gregor Martynus wrote:
> 
>> Robert, I get a 200 when I GET the same path. When I'm signed in as "test" in futon and delete my own /_users doc, I get a 404 as well. Is that not the case for you?
>> 
>> I'm on couchDB 1.2, tested locally and on IrisCouch 
>> 
>> -- 
>> Gregor Martynus
>> 
>> 
>> On Wednesday, 20. June 2012 at 18:45, Robert Newson wrote:
>> 
>>> 
>>> Do you get a 200 when you GET that same doc id? I suspect you get a 404. If so, check you have the right id, perhaps you need to escape some fields. Better, try deleting it from Futon which handles the escaping for you.
>>> 
>>> If you're deleting an admin user, then you need to modify your .ini files (preferably via /_config/admins) instead.
>>> 
>>> B.
>>> 
>>> On 20 Jun 2012, at 17:28, Gregor Martynus wrote:
>>> 
>>>> I'm quite sure that this worked before, but doesn't seem to work anymore. 
>>>> 
>>>> Let's say I have a user account "test" and am signed in as "test".
>>>> The _rev number of users/org.couchdb.user:test is '1-234'
>>>> 
>>>> Shouldn't I be able to delete my own account with
>>>> DELETE /users/org.couchdb.user:test?rev=1-234
>>>> ?
>>>> 
>>>> I get a 404 response, but am still signed in as test
>>>> 
>>>> The same happens when I try to PUT the document with _deleted: true ...
>>>> 
>>>> Any idea? 
>>>> 
>>>> -- 
>>>> Gregor
>>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 

Re: deleting own user account

[Robert Newson <rn...@apache.org>]

The fix;

diff --git a/src/couchdb/couch_users_db.erl b/src/couchdb/couch_users_db.erl
index 6735fb6..434ca6b 100644
--- a/src/couchdb/couch_users_db.erl
+++ b/src/couchdb/couch_users_db.erl
@@ -104,5 +104,5 @@ after_doc_read(Doc, #db{user_ctx = UserCtx} = Db) ->
         throw(not_found)
     end.
 
-get_doc_name(#doc{body={Body}}) ->
-    couch_util:get_value(?NAME, Body).
+get_doc_name(#doc{id= <<"org.couchdb.user:",Name/binary>>}) ->
+    Name.

On 22 Jun 2012, at 16:35, Gregor Martynus wrote:

> Can anybody confirm that when signed in as a user, I cannot DELETE my own _users doc? It's simple to test in futon. 
> Is this a feature, or a bug?
> 
> I tested it on couchDB 1.2 myself. 
> 
> -- 
> Gregor Martynus
> 
> 
> On Wednesday, 20. June 2012 at 19:35, Gregor Martynus wrote:
> 
>> Robert, I get a 200 when I GET the same path. When I'm signed in as "test" in futon and delete my own /_users doc, I get a 404 as well. Is that not the case for you?
>> 
>> I'm on couchDB 1.2, tested locally and on IrisCouch 
>> 
>> -- 
>> Gregor Martynus
>> 
>> 
>> On Wednesday, 20. June 2012 at 18:45, Robert Newson wrote:
>> 
>>> 
>>> Do you get a 200 when you GET that same doc id? I suspect you get a 404. If so, check you have the right id, perhaps you need to escape some fields. Better, try deleting it from Futon which handles the escaping for you.
>>> 
>>> If you're deleting an admin user, then you need to modify your .ini files (preferably via /_config/admins) instead.
>>> 
>>> B.
>>> 
>>> On 20 Jun 2012, at 17:28, Gregor Martynus wrote:
>>> 
>>>> I'm quite sure that this worked before, but doesn't seem to work anymore. 
>>>> 
>>>> Let's say I have a user account "test" and am signed in as "test".
>>>> The _rev number of users/org.couchdb.user:test is '1-234'
>>>> 
>>>> Shouldn't I be able to delete my own account with
>>>> DELETE /users/org.couchdb.user:test?rev=1-234
>>>> ?
>>>> 
>>>> I get a 404 response, but am still signed in as test
>>>> 
>>>> The same happens when I try to PUT the document with _deleted: true ...
>>>> 
>>>> Any idea? 
>>>> 
>>>> -- 
>>>> Gregor
>>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 

Re: deleting own user account

[Gregor Martynus <gr...@martynus.net>]

Can anybody confirm that when signed in as a user, I cannot DELETE my own _users doc? It's simple to test in futon. 
Is this a feature, or a bug?

I tested it on couchDB 1.2 myself. 

-- 
Gregor Martynus


On Wednesday, 20. June 2012 at 19:35, Gregor Martynus wrote:

> Robert, I get a 200 when I GET the same path. When I'm signed in as "test" in futon and delete my own /_users doc, I get a 404 as well. Is that not the case for you?
> 
> I'm on couchDB 1.2, tested locally and on IrisCouch 
> 
> -- 
> Gregor Martynus
> 
> 
> On Wednesday, 20. June 2012 at 18:45, Robert Newson wrote:
> 
> > 
> > Do you get a 200 when you GET that same doc id? I suspect you get a 404. If so, check you have the right id, perhaps you need to escape some fields. Better, try deleting it from Futon which handles the escaping for you.
> > 
> > If you're deleting an admin user, then you need to modify your .ini files (preferably via /_config/admins) instead.
> > 
> > B.
> > 
> > On 20 Jun 2012, at 17:28, Gregor Martynus wrote:
> > 
> > > I'm quite sure that this worked before, but doesn't seem to work anymore. 
> > > 
> > > Let's say I have a user account "test" and am signed in as "test".
> > > The _rev number of users/org.couchdb.user:test is '1-234'
> > > 
> > > Shouldn't I be able to delete my own account with
> > > DELETE /users/org.couchdb.user:test?rev=1-234
> > > ?
> > > 
> > > I get a 404 response, but am still signed in as test
> > > 
> > > The same happens when I try to PUT the document with _deleted: true ...
> > > 
> > > Any idea? 
> > > 
> > > -- 
> > > Gregor
> > > 
> > 
> > 
> > 
> > 
> 
> 

Re: deleting own user account

[Gregor Martynus <gr...@martynus.net>]

Robert, I get a 200 when I GET the same path. When I'm signed in as "test" in futon and delete my own /_users doc, I get a 404 as well. Is that not the case for you?

I'm on couchDB 1.2, tested locally and on IrisCouch 

-- 
Gregor Martynus


On Wednesday, 20. June 2012 at 18:45, Robert Newson wrote:

> 
> Do you get a 200 when you GET that same doc id? I suspect you get a 404. If so, check you have the right id, perhaps you need to escape some fields. Better, try deleting it from Futon which handles the escaping for you.
> 
> If you're deleting an admin user, then you need to modify your .ini files (preferably via /_config/admins) instead.
> 
> B.
> 
> On 20 Jun 2012, at 17:28, Gregor Martynus wrote:
> 
> > I'm quite sure that this worked before, but doesn't seem to work anymore. 
> > 
> > Let's say I have a user account "test" and am signed in as "test".
> > The _rev number of users/org.couchdb.user:test is '1-234'
> > 
> > Shouldn't I be able to delete my own account with
> > DELETE /users/org.couchdb.user:test?rev=1-234
> > ?
> > 
> > I get a 404 response, but am still signed in as test
> > 
> > The same happens when I try to PUT the document with _deleted: true ...
> > 
> > Any idea? 
> > 
> > -- 
> > Gregor
> > 
> 
> 
> 

Re: deleting own user account

[Robert Newson <rn...@apache.org>]

Do you get a 200 when you GET that same doc id? I suspect you get a 404. If so, check you have the right id, perhaps you need to escape some fields. Better, try deleting it from Futon which handles the escaping for you.

If you're deleting an admin user, then you need to modify your .ini files (preferably via /_config/admins) instead.

B.

On 20 Jun 2012, at 17:28, Gregor Martynus wrote:

> I'm quite sure that this worked before, but doesn't seem to work anymore. 
> 
> Let's say I have a user account "test" and am signed in as "test".
> The _rev number of users/org.couchdb.user:test is '1-234'
> 
> Shouldn't I be able to delete my own account with
> DELETE /users/org.couchdb.user:test?rev=1-234
> ?
> 
> I get a 404 response, but am still signed in as test
> 
> The same happens when I try to PUT the document with _deleted: true ...
> 
> Any idea? 
> 
> -- 
> Gregor
> 

Re: deleting own user account

[Gregor Martynus <gr...@martynus.net>]

no, sorry, that was I type, I meant
DELETE /_users/org.couchdb.user:test?rev=1-234

Thanks for pointing that out 

-- 
Gregor Martynus


On Wednesday, 20. June 2012 at 18:38, CGS wrote:

> Have you renamed the database name "users" (by default is "_users")?
> 
> CGS
> 
> 
> 
> 
> On Wed, Jun 20, 2012 at 6:28 PM, Gregor Martynus <gregor@martynus.net (mailto:gregor@martynus.net)>wrote:
> 
> > I'm quite sure that this worked before, but doesn't seem to work anymore.
> > 
> > Let's say I have a user account "test" and am signed in as "test".
> > The _rev number of users/org.couchdb.user:test is '1-234'
> > 
> > Shouldn't I be able to delete my own account with
> > DELETE /users/org.couchdb.user:test?rev=1-234
> > ?
> > 
> > I get a 404 response, but am still signed in as test
> > 
> > The same happens when I try to PUT the document with _deleted: true ...
> > 
> > Any idea?
> > 
> > --
> > Gregor
> > 
> 
> 
> 

Re: deleting own user account

[CGS <cg...@gmail.com>]

Have you renamed the database name "users" (by default is "_users")?

CGS




On Wed, Jun 20, 2012 at 6:28 PM, Gregor Martynus <gr...@martynus.net>wrote:

> I'm quite sure that this worked before, but doesn't seem to work anymore.
>
> Let's say I have a user account "test" and am signed in as "test".
> The _rev number of users/org.couchdb.user:test is '1-234'
>
> Shouldn't I be able to delete my own account with
> DELETE /users/org.couchdb.user:test?rev=1-234
> ?
>
> I get a 404 response, but am still signed in as test
>
> The same happens when I try to PUT the document with _deleted: true ...
>
> Any idea?
>
> --
> Gregor
>
>