+1 on the patch to require admin for _changes.
On Tue, Feb 21, 2012 at 3:36 AM, Jan Lehnardt <[email protected]> wrote: > *nudge* > > I don't feel very confident with a single opinion (thanks Robert), and would > love your input on this one. > > Cheers > Jan > -- > > > On Feb 16, 2012, at 16:12 , Jan Lehnardt wrote: > >> >> On Feb 14, 2012, at 13:14 , Noah Slater wrote: >> >>> Devs, >>> >>> Please outline: >>> >>> - What remains to be fixed for regression purposes >> >> I want to bring up one more thing (sorry :). >> >> /_users/_changes is currently end-user readable. While >> /_users/_changes?include_docs=true will not fetch docs the requesting user >> doesn't have access to, it still gets all doc ids in the /_users db and thus >> easily can generate a list of all users. >> >> I'd like to propose to make /_user/_changes also admin-only before we ship >> 1.2.0. Again, I'm happy to revisit and make things configurable down the >> road. >> >> Note that the information that a particular user is registered is leaked (a >> user can't sign up with a username that is already taken, from that it can >> be deduced that that particular username is already registered). This is in >> line with most signup systems. Making /_users/_changes admin-only doesn't >> prevent all leakage of what users have signed up, but it stops bulk-leakage >> of *all* users in one swoop. >> >> What do you think? >> >> Cheers >> Jan >> -- >> >> >
