You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2018/07/14 13:07:00 UTC
[couchdb] 01/01: Optionally prevent non-admins from accessing
/_all_dbs
This is an automated email from the ASF dual-hosted git repository.
jan pushed a commit to branch feat/admin-only-all-dbs
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 7a55dd36de856ef23efda509fcc9e16d9eaba5cc
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Sat Jul 14 12:01:58 2018 +0200
Optionally prevent non-admins from accessing /_all_dbs
---
rel/overlay/etc/default.ini | 3 +++
src/chttpd/src/chttpd_auth_request.erl | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 0f0d547..fbc61af 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -98,6 +98,9 @@ max_db_number_for_dbs_info_req = 100
; uncomment the next line to enable proxy authentication
; authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
+; prevent non-admins from accessing /_all_dbs
+;admin_only_all_dbs = false
+
[database_compaction]
; larger buffer sizes can originate smaller files
doc_buffer_size = 524288 ; value in bytes
diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl
index 05c5e8e..2adb1dd 100644
--- a/src/chttpd/src/chttpd_auth_request.erl
+++ b/src/chttpd/src/chttpd_auth_request.erl
@@ -34,7 +34,11 @@ authorize_request_int(#httpd{path_parts=[]}=Req) ->
authorize_request_int(#httpd{path_parts=[<<"favicon.ico">>|_]}=Req) ->
Req;
authorize_request_int(#httpd{path_parts=[<<"_all_dbs">>|_]}=Req) ->
- Req;
+ case config:get("chttpd", "admin_only_all_dbs", "false") of
+ "false" -> Req;
+ "true" -> require_admin(Req);
+ Else -> couch_log:error("Invalid setting for admin_only_all_dbs: ~p. Must be true or false.", [Else])
+ end;
authorize_request_int(#httpd{path_parts=[<<"_dbs_info">>|_]}=Req) ->
Req;
authorize_request_int(#httpd{path_parts=[<<"_replicator">>], method='PUT'}=Req) ->