Clustered purge should be restricted to admins #1799
I would say that the _purge operation should be treated similarily to _compact in terms of the security level required to run it. It is a operation that affects the structure of the database and is invisible in _changes or VDU.
POST to the _purge endpoint should check if the user is server admin before allowing the clustered pruge to be executed.
Every user that has access to the db can run it:
Compared with compact:
Add the same security check as for _compact
Steps to Reproduce (for bugs)
DB that is available to users via HTTP
CouchDB 2.3.0 (master) on Linux
I can create a PR for it, if you agree that we should have an admin check in place here.
The text was updated successfully, but these errors were encountered:
The intent was to restore the same purge functionality that existed in 1.x. 1.x did not require server admin permissions.
I disagree that this should require server admin permissions.
I might agree that it should be reserved for database admins, but I'd like others to chime in first.
Good points! I did not know about the 1.x legacy and I thought that the missing security was simply an oversight.
I still think it is important to note that _purge let's you essentially bypass validate_doc_update, because it allows you to delete any document you wish. So, because of this, it might still be a good idea to restrict the endpoint to DB admins. Also the purge is not tracked in _changes, so it might become difficult to tell what was going on in the DB.
Given current code base, if there is need only to allow admin to perform _purge, it is feasible to write additional codes to perform additional check to only authorize admin for _purge endpoint. Also it is possible to write audit log to track what was going on in the DB.
@janl @wohali : Do you think that the possibility to bypass VDU with _purge for deleting documents is enough of a reason to restrict it to admins? Normally deletions can be disallowed by throwing an exception in VDU, but with _purge, which is accessible to every member/user, VDU is never called (and that's probably correct as it is not a normal doc update).
If you think it's not a problem, I can close the issue. Otherwise I can submit a PR adding a simple check in chttpd_auth_request.erl.
@jiangphcn I think a log file would not help that much, it can not be as easily consumed as the _changes feed.
Agree with @janl. Good reference of using VDU in normal deletion case.
I am quite open to accept the feasible change for _purge endpoint check. Just want to avoid ending up with another different case. If any document needs to be purged, is it always necessary to go to admin to purge document? Is it possible to have option to enable/disable such check according to preference of admin?