*nudge* I don't feel very confident with a single opinion (thanks Robert), and would love your input on this one.
Cheers Jan -- On Feb 16, 2012, at 16:12 , Jan Lehnardt wrote: > > On Feb 14, 2012, at 13:14 , Noah Slater wrote: > >> Devs, >> >> Please outline: >> >> - What remains to be fixed for regression purposes > > I want to bring up one more thing (sorry :). > > /_users/_changes is currently end-user readable. While > /_users/_changes?include_docs=true will not fetch docs the requesting user > doesn't have access to, it still gets all doc ids in the /_users db and thus > easily can generate a list of all users. > > I'd like to propose to make /_user/_changes also admin-only before we ship > 1.2.0. Again, I'm happy to revisit and make things configurable down the road. > > Note that the information that a particular user is registered is leaked (a > user can't sign up with a username that is already taken, from that it can be > deduced that that particular username is already registered). This is in line > with most signup systems. Making /_users/_changes admin-only doesn't prevent > all leakage of what users have signed up, but it stops bulk-leakage of *all* > users in one swoop. > > What do you think? > > Cheers > Jan > -- > >
