Thanks. On Mon, Feb 20, 2012 at 9:41 PM, Randall Leeds <[email protected]>wrote:
> Filipe followed up on 665. I'll try to repro, but I'm pretty busy this week > so it might take a couple days. > On Feb 20, 2012 8:46 AM, "Noah Slater" <[email protected]> wrote: > > > Nudge. Where do we stand with this. > > > > Is anyone currently working on COUCHDB-665? > > > > Has anyone reviewed or merged in Jan's patch? > > > > On Thu, Feb 16, 2012 at 10:44 PM, Randall Leeds <[email protected] > > >wrote: > > > > > Also blocking 1.2: > > > https://issues.apache.org/jira/browse/COUCHDB-665 > > > > > > On Thu, Feb 16, 2012 at 07:40, Jan Lehnardt <[email protected]> wrote: > > > > > > > > On Feb 16, 2012, at 16:12 , Jan Lehnardt wrote: > > > > > > > >> > > > >> On Feb 14, 2012, at 13:14 , Noah Slater wrote: > > > >> > > > >>> Devs, > > > >>> > > > >>> Please outline: > > > >>> > > > >>> - What remains to be fixed for regression purposes > > > >> > > > >> I want to bring up one more thing (sorry :). > > > >> > > > >> /_users/_changes is currently end-user readable. While > > > /_users/_changes?include_docs=true will not fetch docs the requesting > > user > > > doesn't have access to, it still gets all doc ids in the /_users db and > > > thus easily can generate a list of all users. > > > >> > > > >> I'd like to propose to make /_user/_changes also admin-only before > we > > > ship 1.2.0. Again, I'm happy to revisit and make things configurable > down > > > the road. > > > >> > > > >> Note that the information that a particular user is registered is > > > leaked (a user can't sign up with a username that is already taken, > from > > > that it can be deduced that that particular username is already > > > registered). This is in line with most signup systems. Making > > > /_users/_changes admin-only doesn't prevent all leakage of what users > > have > > > signed up, but it stops bulk-leakage of *all* users in one swoop. > > > >> > > > >> What do you think? > > > > > > > > And a patch & tests for your consideration: > > > > > > https://github.com/janl/couchdb/commit/a61a2068a9ff8c1b9c7dc3596a999a6e164c0d42 > > > > > > > > Cheers > > > > Jan > > > > -- > > > > > > > > > > > > > >
