Thanks guys, committed. Noah, 1.2.0 is unblocked on this one.
On Feb 21, 2012, at 20:13 , Paul Davis wrote: > +1 on the patch to require admin for _changes. > > On Tue, Feb 21, 2012 at 3:36 AM, Jan Lehnardt <[email protected]> wrote: >> *nudge* >> >> I don't feel very confident with a single opinion (thanks Robert), and would >> love your input on this one. >> >> Cheers >> Jan >> -- >> >> >> On Feb 16, 2012, at 16:12 , Jan Lehnardt wrote: >> >>> >>> On Feb 14, 2012, at 13:14 , Noah Slater wrote: >>> >>>> Devs, >>>> >>>> Please outline: >>>> >>>> - What remains to be fixed for regression purposes >>> >>> I want to bring up one more thing (sorry :). >>> >>> /_users/_changes is currently end-user readable. While >>> /_users/_changes?include_docs=true will not fetch docs the requesting user >>> doesn't have access to, it still gets all doc ids in the /_users db and >>> thus easily can generate a list of all users. >>> >>> I'd like to propose to make /_user/_changes also admin-only before we ship >>> 1.2.0. Again, I'm happy to revisit and make things configurable down the >>> road. >>> >>> Note that the information that a particular user is registered is leaked (a >>> user can't sign up with a username that is already taken, from that it can >>> be deduced that that particular username is already registered). This is in >>> line with most signup systems. Making /_users/_changes admin-only doesn't >>> prevent all leakage of what users have signed up, but it stops bulk-leakage >>> of *all* users in one swoop. >>> >>> What do you think? >>> >>> Cheers >>> Jan >>> -- >>> >>> >>
