You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2017/12/19 19:42:12 UTC

[GitHub] popojargo opened a new issue #1077: [Feature Request] _all_dbs with only accessible databases

popojargo opened a new issue #1077: [Feature Request] _all_dbs  with only accessible databases
URL: https://github.com/apache/couchdb/issues/1077
 
 
   <!--- Provide a general summary of the issue in the Title above -->
   
   ## Expected Behavior
   <!--- If you're describing a bug, tell us what should happen -->
   <!--- If you're suggesting a change/improvement, tell us how it should work -->
   
   When we query the _all_dbs endpoint, it returns all the databases even if the current user is not authorized to some of the databases. 
   
   I would expect to receive only the databases that are allowed to the current user.
   
   As I discussed with Jan yesterday, such things can't be done by filtering the database list on each call. In order to be scalable, we would need an index or so.
   
   ## Possible Solution
   <!--- Not obligatory, but suggest a fix/reason for the bug, -->
   <!--- or ideas how to implement the addition or change -->
   
   1. Make the _all_dbs endpoint available only for admins. (Since they have access to all databases)
   2. We could create an index of databases per user. This index would have the username as a key and an array of databases with read access as a value.
   3. The new index would be updated with when databases are created/deleted or when database's permissions are updated.
   
   I'm not an Erlang dev but I can help you in any way I can :)
   
   ## Context
   <!--- How has this issue affected you? What are you trying to accomplish? -->
   <!--- Providing context helps us come up with a solution that is most useful in the real world -->
   
   Returning all the databases names with the _all_dbs endpoint display private information to all users which is not safe.
   
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services