Fix deleting rocksdb views and dump_authentication (#5779)

* fix deleting rocksdb views and dump_authentication

* fix changelog, fix test

CHANGELOG

@@ -1,6 +1,9 @@
 devel
 -----
 
+* if authentication is turned on requests to databases by users with insufficient rights
+ will be answered with the HTTP forbidden (401) response.
+  
 * upgraded bundled RocksDB library version to 5.14
 
 * added key generators `uuid` and `padded`

arangod/GeneralServer/GeneralCommTask.cpp

@@ -136,16 +136,21 @@ bool resolveRequestContext(GeneralRequest& req) {
 /// response if execution is supposed to be aborted
 GeneralCommTask::RequestFlow GeneralCommTask::prepareExecution(
     GeneralRequest& req) {
-  if (!::resolveRequestContext(req)) {
+  if (!::resolveRequestContext(req)) { // false if db not found
     if (_auth->isActive()) {
-      // prevent guessing of database names (issue #5030)
+      // prevent guessing database names (issue #5030)
-      addErrorResponse(rest::ResponseCode::UNAUTHORIZED,
+      auth::Level lvl = auth::Level::NONE;
-                       req.contentTypeResponse(), req.messageId(),
+      if (req.authenticated()) {
-                       TRI_ERROR_FORBIDDEN);
+        lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName());
-    } else {
+      }
-      addErrorResponse(rest::ResponseCode::NOT_FOUND, req.contentTypeResponse(),
+      if (lvl == auth::Level::NONE) {
-                       req.messageId(), TRI_ERROR_ARANGO_DATABASE_NOT_FOUND);
+        addErrorResponse(rest::ResponseCode::UNAUTHORIZED, req.contentTypeResponse(),
+                         req.messageId(), TRI_ERROR_FORBIDDEN);
+        return RequestFlow::Abort;
+      }
     }
+    addErrorResponse(rest::ResponseCode::NOT_FOUND, req.contentTypeResponse(),
+                      req.messageId(), TRI_ERROR_ARANGO_DATABASE_NOT_FOUND);
     return RequestFlow::Abort;
   }
   TRI_ASSERT(req.requestContext() != nullptr);

arangod/RocksDBEngine/RocksDBIndex.cpp

@@ -332,7 +332,7 @@ RocksDBKeyBounds RocksDBIndex::getBounds(Index::IndexType type,
       return RocksDBKeyBounds::GeoIndex(objectId);
 #ifdef USE_IRESEARCH
     case RocksDBIndex::TRI_IDX_TYPE_IRESEARCH_LINK:
-      return RocksDBKeyBounds::Empty();
+      return RocksDBKeyBounds::DatabaseViews(objectId);
 #endif
     case RocksDBIndex::TRI_IDX_TYPE_UNKNOWN:
     default:

js/client/tests/authentication/auth.js

@@ -495,7 +495,7 @@ function AuthSuite() {
         "preferred_username": "root",
         "iss": "arangodb", "exp": Math.floor(Date.now() / 1000) + 3600
       }, 'HS256');
-      // should respond with unauthorized name guessing
+      // should respond with not-found because we are root
       var res = request.get({
         url: baseUrl() + "/_db/nonexisting/_api/version",
         auth: {
@@ -503,7 +503,14 @@ function AuthSuite() {
         }
       });
       expect(res).to.be.an.instanceof(request.Response);
-      expect(res).to.have.property('statusCode', 401);
+      expect(res).to.have.property('statusCode', 404);
+
+      // should prevent name guessing by unauthorized users
+      var res = request.get({
+        url: baseUrl() + "/_db/nonexisting/_api/version"
+      });
+      expect(res).to.be.an.instanceof(request.Response);
+      expect(res).to.have.property('statusCode', 404);
     },
 
     testDatabaseListNonSystem: function() {