-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[api] Make GET /_all_dbs require an admin users #14
Comments
You mean _all_dbs? I think we made this admin-only in 1.3.x, for the time being we can close this in the proxy. |
yeah. And good idea with the proxy workaround! Only problem I see is when we'd need to load _all_dbs in pocket as admin, as requests go through our proxy as well. But that's not the case yet, and I don't see a use case for that neither, just for the record |
so far the pocket admin is also the CouchDB admin, so all is well :) |
I mean the requests for pocket go trough our proxy as well. If we'd disable the But that's all irrelevant when CouchDB 1.3 brings the expected update. |
we can inspect the headers and try the request with credentials if the username is "admin", but yes, eventually this is couchdb-land. |
hadn’t had time to look, leave open for me pls. :) |
I still can access |
yeah I don’t think we added the require config setting to CouchDB yet |
and we should block access in the _api proxy for older CouchDB versions |
|
Is that possible at all? We definitely have to find a solution, it's a big security vulnerability
The text was updated successfully, but these errors were encountered: