All created users can read/write from/to every db #8
Comments
should the plugin create needed _security settings for created db or is this not part of the plugin? If I create _security settings by hand, everything works as expected. |
I would like to request this as well. |
From: http://docs.couchdb.org/en/latest/api/database/security.html#put--db-_security PUT /db/_security HTTP/1.1 { |
If the default behavior of the plugin added the user as a member of their database as well as one of the admins they could open up their database to other users or "friends" they might have in the application. |
Current behavior of the plugin only adds user to the admins which means only they can edit design docs. However other users can still create, read, update and delete content from their database. This change would help prevent accidentally opening up information to the internet. |
I'll take a look over the next few days |
Check out the pull request I sent you. Here is a fork of this plugin where user databases are not world writable as the default behavior. https://github.com/jspenc72/couchperuser Best, |
If the pull request is not accepted, the readme should be modified to more clearly describe the behavior of the "private per-user databases"... Behavior With pull request it could read (as readme currently reads): Behavior without pull request (as plugin currently behaves): Something like that. Would be good to reference official documentation if you can... Best, |
The part that takes time in this case is the testing, not the code. I need to find the time to verify that it works or come up with a way to automate a test that verifies that it works correctly. |
What are you currently using to write and run Tests? |
Or were you referring to the the current unit and security tests written by the official CouchDB team? |
Please advise if you need help and I would be happy to contribute any needed tests. |
There are no automated tests, if you provide one I can more quickly accept this or a related pull request. This plugin was a one-off for a project I did quickly a few years back and never had the interest to go back and clean it up. |
Ok, would you mind outlining the logic for the tests you're thinking of? As i am not familiar with automated testing in erlang i am leaning toward an nodejs based solution. Any thoughts? |
hey @jspenc72 - I really apprecciate your done work, I think your changes do reflect the description of this plugin better than before! Was wondering, as my expectation was having a real "secured" CouchDB database for every user, too. Thanks for your done work - will test it later! |
The tests should be:
I wouldn't add a node.js dependency for this test, either bash or Erlang would be acceptable. |
I won't be changing the documentation, this issue reflects the intended behavior and it will be fixed one way or another. It was my understanding at the time that creating the secprops with any members would lock down the database, but either that behavior changed over the years or it was simply a mistake to leave out the members field and the security properties weren't sufficiently verified. |
I cannot get this working on Debian (couchdb hosted in Google Cloud via Bitnami). See my StackOverflow Question here. |
I'm not able to help you with this, but you may want to ask on the usual channels for CouchDB and/or Bitnami questions. From what I understand, CouchDB is bringing this functionality into the core, so you may not need a plugin anymore, but I'm not sure what the status of that is. |
Thank you for replying Etrepum. I'll check it out. |
Hi there,
I tried the couchperuser plugin with CouchDB 1.6.1.
The plugin seems to run fine, as a new database in fromat
userdb-hex
gets created for every user I add through the_users
db.After creation of 2 testusers with result of 2 related dbs I tried to read/write to that dbs. Got no error/alert. Tried it with pouchdb and a couchdb php client.
Whatcould I do to debug that more in detail?
regards
Mischosch
The text was updated successfully, but these errors were encountered: