When we query the _all_dbs endpoint, it returns all the databases even if the current user is not authorized to some of the databases.
I would expect to receive only the databases that are allowed to the current user.
As I discussed with Jan yesterday, such things can't be done by filtering the database list on each call. In order to be scalable, we would need an index or so.
I'm not an Erlang dev but I can help you in any way I can :)
Returning all the databases names with the _all_dbs endpoint display private information to all users which is not safe.
You can configure default_security to admin_only.
https://github.com/apache/couchdb/blob/master/rel/overlay/etc/default.ini#L31
Only admin can read/write databases.
@style95 Correct me if I'm wrong but default_security is for the default security object of database.
So if I switch it to admin_only, only the admins will have access to the databases by default. Consequently, my user Foo won't be able to access any database by default.
Therefore, _all_dbs will still return all the databases names(even if Foo doesn't access to any of them).
default_security has no effects on _all_dbs.
Interesting enhancement request, and definitely non-trivial.
If you are concerned about security, as a workaround you can disable _all_dbs by removing its handler from [httpd_global_handlers], or firewall off access through a reverse proxy (such as haproxy).
Closing in favour of https://github.com/apache/couchdb/pull/1440
https://github.com/apache/couchdb/pull/1440 might have fixed the security issue but didn't help from a UI point of view. (Users are still facing issues: https://github.com/apache/couchdb-fauxton/issues/1037#issuecomment-609685270)
With the _all_dbs reserved for server admin only, there's no way in Fauxton to know which database the user has access to. So if a user with access limited to certain databases wants to use Fauxton, the only way to do this is by typing manually the URL.
Maybe I could allow a user to manually search for a database name and show it if valid but that's not really a proper solution.
For this reason, I would like to reopen that issue.
@janl @wohali
Most helpful comment
https://github.com/apache/couchdb/pull/1440 might have fixed the security issue but didn't help from a UI point of view. (Users are still facing issues: https://github.com/apache/couchdb-fauxton/issues/1037#issuecomment-609685270)
With the
_all_dbsreserved for server admin only, there's no way in Fauxton to know which database the user has access to. So if a user with access limited to certain databases wants to use Fauxton, the only way to do this is by typing manually the URL.Maybe I could allow a user to manually search for a database name and show it if valid but that's not really a proper solution.
For this reason, I would like to reopen that issue.
@janl @wohali