[
https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13690862#comment-13690862
]
Robert Newson commented on COUCHDB-1837:
----------------------------------------
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization
will not help and the request SHOULD NOT be repeated. If the request method was
not HEAD and the server wishes to make public why the request has not been
fulfilled, it SHOULD describe the reason for the refusal in the entity. If the
server does not wish to make this information available to the client, the
status code 404 (Not Found) can be used instead.
> Incorrect HTTP response on attempt to update other user doc with public
> fields enabled
> --------------------------------------------------------------------------------------
>
> Key: COUCHDB-1837
> URL: https://issues.apache.org/jira/browse/COUCHDB-1837
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Reporter: Alexander Shorin
>
> When `public_fields` are specified (see
> [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60]
> commit) and regular user tries to update other user doc, CouchDB return HTTP
> 404 Not Found request while HTTP 403 Forbidden is more expected.
> Steps to reproduce:
> 1. Enable `public_fields`
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d
> '"name,email,whatever"' -H "Content-Type: application/json" --user
> couch_admin
> {code}
> 2. Setup some users
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d
> '{"name":"abc", "roles":[], "type":"user", "password": "cba"}' -H
> "Content-Type: application/json"
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d
> '{"name":"def", "roles":[], "type":"user", "password": "fed"}' -H
> "Content-Type: application/json"
> {code}
> 3. Now user `abc` may browse `def` doc
> {code}
> > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def
> >
> HTTP/1.1 200 OK
> Cache-Control: must-revalidate
> Content-Length: 88
> Content-Type: text/plain; charset=utf-8
> Date: Fri, 21 Jun 2013 22:48:03 GMT
> ETag: "1-fa20c151bb6946527d261e9ef4338923"
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"}
> {code}
> 4. Try to save `def`'s doc:
> {code}
> curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d
> '{}' -H "Content-Type: application/json"
> HTTP/1.1 404 Object Not Found
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 22:49:44 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 41
> Cache-Control: must-revalidate
> {"error":"not_found","reason":"missing"}
> {code}
> Since `org.couchdb.user:def` doc is actually exists and available for direct
> GET request 404 response is incorrect and confuses while HTTP 403 Forbidden
> is expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
