CouchDB, limit creating users to admins only

Question

I'm working on a CouchDB backend that will exist as a central store for a React app using PouchDB. Reading the docs on the security section: http://docs.couchdb.org/en/2.1.1/intro/security.html, one does not need an admin account or a user account of any kind to create user records. Now, they wouldn't be able to create any documents, as I have admin party disabled. But I also don't want an open API end point to allow just anyone to write data. Is there a way for me to restrict this?

I've tried to see if I could setup a security document like so:

curl -X PUT http://admin:admin@localhost:5984/_users/_security -d '{"admins":{"names":[],"roles":[]},"members":{"names":[],"roles":[]}}'

But I'm still able to add users:

curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc1 -d '{"name":"abc1", "password":"abc1", "roles":[], "type":"user"}'

Is there something I can change so I cannot do a put request to the couchdb.users namespace without admin credentials?

Answer 1

You are setting no admins or users in your security document and a database with no members allows any user to write regular documents, same as default behaviour.

Try to set your server's admin as _users database admin, i.e. change the security document to -d '{"admins": { "names": ["admin"], "roles": [] }, "members": { "names": [], "roles": [] }}' or even better create an admin role and assign it to a separate CouchDB user for more granular control.