summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Lehnardt <jan@apache.org>2018-07-14 12:01:58 +0200
committerJan Lehnardt <jan@apache.org>2018-07-15 20:29:39 +0200
commit45583af0cb600b712b1eb965b812f3537991f6f4 (patch)
treea03518077852801ea19232fc1b9cb03afb67e2ec
parent8e5caaf9bffd90737208775d9d7cfab3d3ec4b61 (diff)
downloadcouchdb-45583af0cb600b712b1eb965b812f3537991f6f4.tar.gz
Optionally prevent non-admins from accessing /_all_dbs
-rw-r--r--rel/overlay/etc/default.ini3
-rw-r--r--src/chttpd/src/chttpd_auth_request.erl5
2 files changed, 7 insertions, 1 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 0f0d54793..fbc61afd6 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -98,6 +98,9 @@ max_db_number_for_dbs_info_req = 100
; uncomment the next line to enable proxy authentication
; authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
+; prevent non-admins from accessing /_all_dbs
+;admin_only_all_dbs = false
+
[database_compaction]
; larger buffer sizes can originate smaller files
doc_buffer_size = 524288 ; value in bytes
diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl
index 05c5e8e35..9110ed6bc 100644
--- a/src/chttpd/src/chttpd_auth_request.erl
+++ b/src/chttpd/src/chttpd_auth_request.erl
@@ -34,7 +34,10 @@ authorize_request_int(#httpd{path_parts=[]}=Req) ->
authorize_request_int(#httpd{path_parts=[<<"favicon.ico">>|_]}=Req) ->
Req;
authorize_request_int(#httpd{path_parts=[<<"_all_dbs">>|_]}=Req) ->
- Req;
+ case config:get_boolean("chttpd", "admin_only_all_dbs", false) of
+ true -> require_admin(Req);
+ false -> Req
+ end;
authorize_request_int(#httpd{path_parts=[<<"_dbs_info">>|_]}=Req) ->
Req;
authorize_request_int(#httpd{path_parts=[<<"_replicator">>], method='PUT'}=Req) ->