diff options
author | Jan Lehnardt <jan@apache.org> | 2018-07-14 12:01:58 +0200 |
---|---|---|
committer | Jan Lehnardt <jan@apache.org> | 2018-07-14 15:06:48 +0200 |
commit | 7a55dd36de856ef23efda509fcc9e16d9eaba5cc (patch) | |
tree | 905ae8527f9fb8785a5e26580010d02cb5abf3b7 | |
parent | dacb6583bc5b08c0c2ae2099a787c60eb0a33da8 (diff) | |
download | couchdb-feat/admin-only-all-dbs.tar.gz |
Optionally prevent non-admins from accessing /_all_dbsfeat/admin-only-all-dbs
-rw-r--r-- | rel/overlay/etc/default.ini | 3 | ||||
-rw-r--r-- | src/chttpd/src/chttpd_auth_request.erl | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 0f0d54793..fbc61afd6 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -98,6 +98,9 @@ max_db_number_for_dbs_info_req = 100 ; uncomment the next line to enable proxy authentication ; authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler} +; prevent non-admins from accessing /_all_dbs +;admin_only_all_dbs = false + [database_compaction] ; larger buffer sizes can originate smaller files doc_buffer_size = 524288 ; value in bytes diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl index 05c5e8e35..2adb1dd1d 100644 --- a/src/chttpd/src/chttpd_auth_request.erl +++ b/src/chttpd/src/chttpd_auth_request.erl @@ -34,7 +34,11 @@ authorize_request_int(#httpd{path_parts=[]}=Req) -> authorize_request_int(#httpd{path_parts=[<<"favicon.ico">>|_]}=Req) -> Req; authorize_request_int(#httpd{path_parts=[<<"_all_dbs">>|_]}=Req) -> - Req; + case config:get("chttpd", "admin_only_all_dbs", "false") of + "false" -> Req; + "true" -> require_admin(Req); + Else -> couch_log:error("Invalid setting for admin_only_all_dbs: ~p. Must be true or false.", [Else]) + end; authorize_request_int(#httpd{path_parts=[<<"_dbs_info">>|_]}=Req) -> Req; authorize_request_int(#httpd{path_parts=[<<"_replicator">>], method='PUT'}=Req) -> |