New Couchdb _users permissions and Users accessing to their Docs

[skeyby]

In past versions of CouchDB users could access their doc as stated in:

https://docs.couchdb.org/en/stable/intro/security.html?highlight=_users#authentication-database

With a brand new CouchDB 3.1 with default settings, this doesn't seem to be the case anymore --- I think this is related to the permissions applied by default which is:

• admin role _admin
• member role _admin

Look at this. I have a brand new CouchDB 3.1 with just an "admin" user:

root@esc:~ # curl -X PUT http://admin:xxxx@localhost:5984/_users/org.couchdb.user:jan -H "Accept: application/json" -H "Content-Type: application/json" -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'
{"ok":true,"id":"org.couchdb.user:jan","rev":"1-29a185047e727b3c8788a2b512212f17"}
root@esc:~ # curl -X POST http://localhost:5984/_session -d 'name=jan&password=apple'
{"ok":true,"name":"jan","roles":[]}
root@esc:~ # curl http://jan:apple@127.0.0.1:5984/_users/org.couchdb.user:jan
{"error":"forbidden","reason":"You are not allowed to access this db."}

I tried to change the permission for _users from fauxton to remove the member role _admin but I couldn't do it because by default the permissions for the database are locked.

Clearly I can change that and fix the permissions, that is not the problem, the show-stopper here seems to be that either the documentation needs to be updated (and we're loosing a big functionality as well, since users can't change password on their own, for example), or there's a bug in the implementation of the new default security schema for _users.

Any thought?

Thanks

[skeyby]

P.S.:

As supposed enabling couchdb.users_db_security_editable and removing the Members / Role _admin permission fixed the issue.

root@esc:~ # curl http://jan:apple@127.0.0.1:5984/_users/org.couchdb.user:jan
{"_id":"org.couchdb.user:jan","_rev":"1-29a185047e727b3c8788a2b512212f17","name":"jan","roles":[],"type":"user","password_scheme":"pbkdf2","iterations":10000,"derived_key":"1d32b417b1446398bc531abd46414c31e0e1e37b","salt":"417bf934e4fc59f62320109af8b8a750"}

[skeyby]

Created issue #3170 to track this problem.