On Tue, Feb 14, 2012 at 11:06, Benoit Chesneau <[email protected]> wrote: > On Tue, Feb 14, 2012 at 7:53 PM, Randall Leeds <[email protected]> > wrote: >> On Tue, Feb 14, 2012 at 10:41, Jan Lehnardt <[email protected]> wrote: >>> >>> On Feb 14, 2012, at 19:35 , Randall Leeds wrote: >>> >>>> On Tue, Feb 14, 2012 at 10:19, Jan Lehnardt <[email protected]> wrote: >>>>> >>>>> On Feb 14, 2012, at 19:13 , Randall Leeds wrote: >>>>> >>>>>> On Tue, Feb 14, 2012 at 04:14, Noah Slater <[email protected]> wrote: >>>>>>> Devs, >>>>>>> >>>>>>> Please outline: >>>>>>> >>>>>>> - What has been changed since round one of the 1.2.0 release >>>>>>> - What remains to be fixed for regression purposes >>>>>>> - Who is doing these fixes, and when will they be done by >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> N >>>>>> >>>>>> I'd like to know if it was always the case that design doc actions on >>>>>> system dbs were inaccessible to non-admins or if that's just since the >>>>>> recent security changes. If it's recent, why was that part deemed >>>>>> necessary and can we remove it? >>>>> >>>>> It is part of the recent changes and the reason is that a view potentially >>>>> leaks information about docs and we don't want that. I'm happy to relax >>>>> this >>>>> later if we can convince people to write views that don't compromise their >>>>> security, but until then I opted for the more secure default. >>>>> >>>> >>>> I motion to remove this restriction now, unless there are actions on >>>> the system dbs, installed by default, that leak anything at all. >>>> I see the motivation but I feel it might be overly paranoid. Only an >>>> admin can modify the ddocs. If a user decides to add views to >>>> _replicator or _user they had best think about what they expose and to >>>> whom. >>>> >>>> If there's no objection I can try to tackle this in the evening. >>> >>> I object :) >> >> Hmm. What's your reasoning? > Why do you need views in _users ? > > - benoît
The idea was to make it easy to add public profiles, since ?include_docs is subject to the new security hooks, but emit() could publish the public information. There are valid use cases for admin-only views, which this would prevent, though. In that case, we probably shouldn't change anything. -R
