User cannot access own document in _users in CouchDB - couchdb

I am having problems with CouchDB 3.1.0 on Windows. I have installed it, during the installation created a admin user (admin:admin) and then created a user as the documentation states:
$ curl -X PUT http://admin:admin#localhost:5984/_users/org.couchdb.user:jan \
> -H "Accept: application/json" \
> -H "Content-Type: application/json" \
> -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'
{"ok":true,"id":"org.couchdb.user:jan","rev":"1-fd5a90118f51fb895d594f2fdfa9b12f"}
Fine. Now let me get the user doc:
$ curl -X GET http://jan:apple#localhost:5984/_users/org.couchdb.user:jan
{"error":"forbidden","reason":"You are not allowed to access this db."}
What am I doing wrong? What did I miss?
It did work in CouchDB 2.3, surely.
Thanks.

The documentation for CouchDB 3.x is unfortunately out of date. As of today, the Authentication Database section in the security documentation states:
Users may only access (GET /_users/org.couchdb.user:Jan) or modify
(PUT /_users/org.couchdb.user:Jan) documents that they own
However, it does not state that users by default do not have access to any documents in the _users database.
In order to allow access, one must first change the users_db_security_editable flag to true in the settings, and then clear the members -> roles list in the _users security object. This list has _admin in it by default. Alternatively, you could add a role to your users and add that role to the members -> roles instead.
Note that this will allow users read and write access to their user document.
There is an open Github issue to amend the documentation.
Other sources:
https://github.com/apache/couchdb/issues/2881
https://github.com/apache/couchdb/issues/2730

Related

How to allow any user to access/control only particular application?

Is there any way to allow user to get access of stream URLs and embed code of only one application and restrict access to other applications?
Yes, you can restrict your specific user. You just need to create a user according to below CURL command or Ant Media Server Dashboard Users section in Settings tab.
curl -X POST -H "Content-Type: application/json" -d '{"email": "test", "password": "testtest", "scope": "system", "userType": "ADMIN"}' "https://{YOUR_SERVER_ADDRESS}:5443/rest/v2/users"
Note: scope parameter can be system or specific application name such as LiveApp. If you use LiveApp, user will have permission only for LiveApp. system can access each application scope.
userType parameter can be ADMIN, USER or READ-ONLY.
Check this guide for more detail.

How we can create non admin user who will have limited privilages to database?

I am new to CouchDB, as I am learning it for the first time which is required in our upcoming project so while learning CouchDB I want to create a non-admin user who will have limited access to a database
Check the doc here where the Authentication Database is described.
It is required to create a doc in the _users database
curl -X PUT http://<host>:5984/_users/org.couchdb.user:new-user \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "new-user", "password": "apple", "roles": [], "type": "user"}'
Here it is described the authorization mechanism. Each DB allows to roles, admin or member. A member can read and write content in a DB whereas an admin has the privileges of members plus the privileges: write (and edit) design documents, add/remove database admins and members and set the database revisions limit. They can not create a database nor delete a database.

CouchDB, limit creating users to admins only

I'm working on a CouchDB backend that will exist as a central store for a React app using PouchDB. Reading the docs on the security section: http://docs.couchdb.org/en/2.1.1/intro/security.html, one does not need an admin account or a user account of any kind to create user records. Now, they wouldn't be able to create any documents, as I have admin party disabled. But I also don't want an open API end point to allow just anyone to write data. Is there a way for me to restrict this?
I've tried to see if I could setup a security document like so:
curl -X PUT http://admin:admin#localhost:5984/_users/_security -d '{"admins":{"names":[],"roles":[]},"members":{"names":[],"roles":[]}}'
But I'm still able to add users:
curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc1 -d '{"name":"abc1", "password":"abc1", "roles":[], "type":"user"}'
Is there something I can change so I cannot do a put request to the couchdb.users namespace without admin credentials?
You are setting no admins or users in your security document and a database with no members allows any user to write regular documents, same as default behaviour.
Try to set your server's admin as _users database admin, i.e. change the security document to -d '{"admins": { "names": ["admin"], "roles": [] }, "members": { "names": [], "roles": [] }}' or even better create an admin role and assign it to a separate CouchDB user for more granular control.

Can't setup webhook

I want to setup webhook to the server.
I am guided by this instruction (and several other): https://developer.autodesk.com/en/docs/webhooks/v1/tutorials/create-a-hook/
Every time I get the same error: Access denied for the scope urn:adsk.wipprod:fs.folder:co.cT9kz1IxRZy5rgSCupQ3vg that you are trying to create hook on
Please check the call:
curl -X 'POST' -v 'https://developer.api.autodesk.com/webhooks/v1/systems/data/events/dm.version.added/hooks' -H 'Content-Type: application/json' -H 'authorization: Bearer '$1 -d '{
"callbackUrl": "***",
"scope": {
"folder": "urn:adsk.wipprod:fs.folder:co.cT9kz1IxRZy5rgSCupQ3vg"
},
"hookAttribute": {
"projectId": "***"
}
}'
*** - was hidden.
Call structure is similar to example in documentation.
Folder exist. I will be glad receive any ideas.
From the description, I believe this can be one of 2 possible issues:
the 3-legged token you're using don't have access to this folder. Note the Webhook is created and stored per user per app, so the user (Autodesk Account that is logged in) need to have access to this folder.
the access token is missing the data:read data:write scopes required for webhooks.
Can you check this and share the results? Maybe add more details on your 3-legged and make sure the user can see the folder (e.g. list files on it with the access token).

How to get the list of Organizations a user belongs to in GitHub?

I'm trying to do what the title says, using GitHub's API, I'm trying to get the list of orgs any user belongs to... my problem, is that I can't find a way to do it.
According to the API's doc: https://developer.github.com/v3/orgs/ using this endpoint:
/users/:user/orgs
That should list them, but it's not doing it for my user, so I'm guessing this only lists orgs created by the user.
If this is the case, is there a way around it somehow, so I can get the list of organizations that any user belongs to?
It should but, as mentioned
For my account, I don't belong to any organization: https://api.github.com/users/VonC/orgs
defunk, however, is part of public orgs: https://api.github.com/users/defunkt/orgs
Since the list orgs API will only list public memberships, regardless of authentication. (more precisely, GET /orgs/{org}/memberships/{username})
If you need to fetch all of the organization memberships (public and private) for the authenticated user, use the List your organizations API instead.
Maybe your user is not part of any public orgs, only private ones.
More recently, using gh, the GitHub CLI after a gh auth login:
gh api \
-H "Accept: application/vnd.github+json" \
/user/orgs \
--jq ".[].login"
One line:
gh api -H "Accept: application/vnd.github+json" /user/orgs --jq ".[].login"
Use the route /user/memberships/orgs. For instance, using GitHub Cli:
$ gh api /user/memberships/orgs --jq '.[0].organization.login'
etsii2
If you still want to get the user's organizations that your authorization allows you to operate on in some way, you can use the List organizations for the authenticated user endpoint.
In cURL
curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/user/orgs
where you need to substitute the <YOUR-TOKEN> by the access_token you get in the response after authentication.
In my case, using Postman
just call /user/orgs to retrieve all organizations public or private

Resources