Add a configurable whitelist of public user props
By default no user properties are public and attempts to view a users
document other than your own will return a 404. If the public_fields
setting of the users_db config section is set to a list of field
names, however, you will see that subset of fields for any user.
Also, if `public_fields` is set and non-empty,
`_users/_all_docs?include_docs=true` will return documents with stripped
field.
Contributed with code parts from @indutny
diff --git a/script/test/users_db_security.js b/script/test/users_db_security.js
index d439fcb..cdc3f17 100644
--- a/script/test/users_db_security.js
+++ b/script/test/users_db_security.js
@@ -256,6 +256,50 @@
// log in one last time so run_on_modified_server can clean up the admin account
TEquals(true, CouchDB.login("jan", "apple").ok);
});
+
+ run_on_modified_server([
+ {
+ section: "couch_httpd_auth",
+ key: "iterations",
+ value: "1"
+ },
+ {
+ section: "couch_httpd_auth",
+ key: "public_fields",
+ value: "name,type"
+ },
+ {
+ section: "admins",
+ key: "jan",
+ value: "apple"
+ }
+ ], function() {
+ var res = usersDb.open("org.couchdb.user:jchris");
+ TEquals("jchris", res.name);
+ TEquals("user", res.type);
+ TEquals(undefined, res.roles);
+ TEquals(undefined, res.salt);
+ TEquals(undefined, res.password_scheme);
+ TEquals(undefined, res.derived_key);
+
+ // log in one last time so run_on_modified_server can clean up the admin account
+ TEquals(true, CouchDB.login("jan", "apple").ok);
+
+ var all = usersDb.allDocs({ include_docs: true });
+ T(all.rows);
+ if (all.rows) {
+ T(all.rows.every(function(row) {
+ T(row.doc);
+ if (row.doc) {
+ return Object.keys(row.doc).every(function(key) {
+ return key === 'name' || key === 'type';
+ });
+ } else {
+ return false;
+ }
+ }));
+ }
+ });
};
usersDb.deleteDb();