[ https://issues.apache.org/jira/browse/COUCHDB-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13777610#comment-13777610 ]
Dirkjan Ochtman commented on COUCHDB-1837: ------------------------------------------ So, what do we do here? > Incorrect HTTP response on attempt to update other user doc with public > fields enabled > -------------------------------------------------------------------------------------- > > Key: COUCHDB-1837 > URL: https://issues.apache.org/jira/browse/COUCHDB-1837 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface > Reporter: Alexander Shorin > Priority: Blocker > Fix For: 1.5.0 > > > When `public_fields` are specified (see > [8d7ab8b1|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=8d7ab8b18dd20f8785e69f4420c6f93a2edbfa60] > commit) and regular user tries to update other user doc, CouchDB return HTTP > 404 Not Found request while HTTP 403 Forbidden is more expected. > Steps to reproduce: > 1. Enable `public_fields` > {code} > curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d > '"name,email,whatever"' -H "Content-Type: application/json" --user > couch_admin > {code} > 2. Setup some users > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d > '{"name":"abc", "roles":[], "type":"user", "password": "cba"}' -H > "Content-Type: application/json" > curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d > '{"name":"def", "roles":[], "type":"user", "password": "fed"}' -H > "Content-Type: application/json" > {code} > 3. Now user `abc` may browse `def` doc > {code} > > curl -v http://abc:cba@localhost:5984/_users/org.couchdb.user:def > > > HTTP/1.1 200 OK > Cache-Control: must-revalidate > Content-Length: 88 > Content-Type: text/plain; charset=utf-8 > Date: Fri, 21 Jun 2013 22:48:03 GMT > ETag: "1-fa20c151bb6946527d261e9ef4338923" > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > {"_id":"org.couchdb.user:def","_rev":"1-fa20c151bb6946527d261e9ef4338923","name":"def"} > {code} > 4. Try to save `def`'s doc: > {code} > curl -v -X PUT http://abc:cba@localhost:5984/_users/org.couchdb.user:def -d > '{}' -H "Content-Type: application/json" > HTTP/1.1 404 Object Not Found > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > Date: Fri, 21 Jun 2013 22:49:44 GMT > Content-Type: text/plain; charset=utf-8 > Content-Length: 41 > Cache-Control: must-revalidate > {"error":"not_found","reason":"missing"} > {code} > Since `org.couchdb.user:def` doc is actually exists and available for direct > GET request 404 response is incorrect and confuses while HTTP 403 Forbidden > is expected. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira