You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Alexander Shorin (JIRA)" <ji...@apache.org> on 2013/07/23 01:30:49 UTC

[jira] [Updated] (COUCHDB-1837) Incorrect HTTP response on attempt to update other user doc with public fields enabled

     [ https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Shorin updated COUCHDB-1837:
--------------------------------------

    Priority: Blocker  (was: Major)
    
> Incorrect HTTP response on attempt to update other user doc with public fields enabled
> --------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1837
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1837
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Alexander Shorin
>            Priority: Blocker
>
> When `public_fields` are specified (see [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60] commit) and regular user tries to update other user doc, CouchDB return HTTP 404 Not Found request while HTTP 403 Forbidden is more expected.
> Steps to reproduce:
> 1. Enable `public_fields`
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"name,email,whatever"' -H "Content-Type: application/json" --user couch_admin  
> {code}
> 2. Setup some users
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[], "type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[], "type":"user", "password": "fed"}'  -H "Content-Type: application/json"  
> {code}
> 3. Now user `abc` may browse `def` doc
> {code}
> > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def                                                       
> HTTP/1.1 200 OK
> Cache-Control: must-revalidate
> Content-Length: 88
> Content-Type: text/plain; charset=utf-8
> Date: Fri, 21 Jun 2013 22:48:03 GMT
> ETag: "1-fa20c151bb6946527d261e9ef4338923"
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"}
> {code}
> 4. Try to save `def`'s doc:
> {code}
> curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d '{}' -H "Content-Type: application/json"          
> HTTP/1.1 404 Object Not Found
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 22:49:44 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 41
> Cache-Control: must-revalidate
> {"error":"not_found","reason":"missing"}
> {code}
> Since `org.couchdb.user:def` doc is actually exists and available for direct GET request 404 response is incorrect and confuses while HTTP 403 Forbidden is expected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira