Optionally prevent non-admins from accessing /_all_dbsfeat/admin-only-all-dbs

2 files changed, 8 insertions, 1 deletions

diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 0f0d54793..fbc61afd6 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -98,6 +98,9 @@ max_db_number_for_dbs_info_req = 100
 ; uncomment the next line to enable proxy authentication
 ; authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
 
+; prevent non-admins from accessing /_all_dbs
+;admin_only_all_dbs = false
+
 [database_compaction]
 ; larger buffer sizes can originate smaller files
 doc_buffer_size = 524288 ; value in bytes
diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl
index 05c5e8e35..2adb1dd1d 100644
--- a/src/chttpd/src/chttpd_auth_request.erl
+++ b/src/chttpd/src/chttpd_auth_request.erl
@@ -34,7 +34,11 @@ authorize_request_int(#httpd{path_parts=[]}=Req) ->
 authorize_request_int(#httpd{path_parts=[<<"favicon.ico">>|_]}=Req) ->
     Req;
 authorize_request_int(#httpd{path_parts=[<<"_all_dbs">>|_]}=Req) ->
-    Req;
+   case config:get("chttpd", "admin_only_all_dbs", "false") of
+       "false" -> Req;
+       "true" -> require_admin(Req);
+       Else  -> couch_log:error("Invalid setting for admin_only_all_dbs: ~p. Must be true or false.", [Else])
+   end;
 authorize_request_int(#httpd{path_parts=[<<"_dbs_info">>|_]}=Req) ->
     Req;
 authorize_request_int(#httpd{path_parts=[<<"_replicator">>], method='PUT'}=Req) ->