You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2015/11/10 00:11:35 UTC
couchdb-cassim git commit: Reuse database security check routines
from couch_db
Repository: couchdb-cassim
Updated Branches:
refs/heads/master 92172db75 -> 350e4e601
Reuse database security check routines from couch_db
COUCHDB-2534
Project: http://git-wip-us.apache.org/repos/asf/couchdb-cassim/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-cassim/commit/350e4e60
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-cassim/tree/350e4e60
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-cassim/diff/350e4e60
Branch: refs/heads/master
Commit: 350e4e60171bf1ccf90ebc5126304bc9870a1b03
Parents: 92172db
Author: Alexander Shorin <kx...@apache.org>
Authored: Fri Jan 9 19:32:50 2015 +0300
Committer: Alexander Shorin <kx...@apache.org>
Committed: Tue Nov 10 02:09:13 2015 +0300
----------------------------------------------------------------------
src/cassim_security.erl | 62 +++++---------------------------------------
1 file changed, 7 insertions(+), 55 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-cassim/blob/350e4e60/src/cassim_security.erl
----------------------------------------------------------------------
diff --git a/src/cassim_security.erl b/src/cassim_security.erl
index 6afada2..08fe791 100644
--- a/src/cassim_security.erl
+++ b/src/cassim_security.erl
@@ -46,7 +46,7 @@ get_security(DbName, Options) ->
UserCtx = couch_util:get_value(user_ctx, Options, #user_ctx{}),
Doc = get_security_doc(DbName),
{SecProps} = couch_doc:to_json_obj(Doc, []),
- check_is_member(UserCtx, SecProps),
+ ok = check_is_member(UserCtx, SecProps),
{proplists:delete(<<"_id">>, SecProps)};
false ->
fabric:get_security(DbName, Options)
@@ -148,57 +148,9 @@ validate_roles_list(Field, _Roles) ->
throw(binary_to_list(Field) ++ " must be a JSON list of strings").
-check_is_admin(#user_ctx{name=Name,roles=Roles}, SecProps) ->
- {Admins} = get_admins(SecProps),
- AdminRoles = [<<"_admin">> | couch_util:get_value(<<"roles">>, Admins, [])],
- AdminNames = couch_util:get_value(<<"names">>, Admins,[]),
- case AdminRoles -- Roles of
- AdminRoles -> % same list, not an admin role
- case AdminNames -- [Name] of
- AdminNames -> % same names, not an admin
- throw({unauthorized, <<"You are not a db or server admin.">>});
- _ ->
- ok
- end;
- _ ->
- ok
- end.
-
-
-check_is_member(#user_ctx{name=Name,roles=Roles}=UserCtx, SecProps) ->
- case (catch check_is_admin(UserCtx, SecProps)) of
- ok -> ok;
- _ ->
- {Members} = get_members(SecProps),
- ReaderRoles = couch_util:get_value(<<"roles">>, Members,[]),
- WithAdminRoles = [<<"_admin">> | ReaderRoles],
- ReaderNames = couch_util:get_value(<<"names">>, Members,[]),
- case ReaderRoles ++ ReaderNames of
- [] -> ok; % no readers == public access
- _Else ->
- case WithAdminRoles -- Roles of
- WithAdminRoles -> % same list, not an reader role
- case ReaderNames -- [Name] of
- ReaderNames -> % same names, not a reader
- couch_log:debug("Not a reader: UserCtx ~p "
- " vs Names ~p Roles ~p",
- [UserCtx, ReaderNames, WithAdminRoles]),
- throw({unauthorized, <<"You are not authorized to access this db.">>});
- _ ->
- ok
- end;
- _ ->
- ok
- end
- end
- end.
-
-
-get_admins(SecProps) ->
- couch_util:get_value(<<"admins">>, SecProps, {[]}).
-
-
-get_members(SecProps) ->
- % we fallback to readers here for backwards compatibility
- couch_util:get_value(<<"members">>, SecProps,
- couch_util:get_value(<<"readers">>, SecProps, {[]})).
+check_is_member(UserCtx, SecProps) ->
+ FakeDb = #db{
+ security = SecProps,
+ user_ctx = UserCtx
+ },
+ couch_db:check_is_member(FakeDb).