You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Benoit Chesneau <bc...@gmail.com> on 2013/02/10 13:56:13 UTC

Re: git commit: Only allow strings in user doc "roles" array

sounds good for me

On Sun, Feb 10, 2013 at 11:53 AM,  <rn...@apache.org> wrote:
> Updated Branches:
>   refs/heads/1675-fix-roles-validation [created] 5f507095a
>
>
> Only allow strings in user doc "roles" array
>
> We validate that _security documents only contain strings but we have
> not done the same for the roles field in user docs. This is a breaking
> change as users may have been inserting other things (notably,
> objects) in this field.
>
> COUCHDB-1675
>
>
> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5f507095
> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5f507095
> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5f507095
>
> Branch: refs/heads/1675-fix-roles-validation
> Commit: 5f507095a0c7996391f6ca37a30fd0c4829b5e45
> Parents: 3b103eb
> Author: Robert Newson <rn...@apache.org>
> Authored: Sun Feb 10 10:52:24 2013 +0000
> Committer: Robert Newson <rn...@apache.org>
> Committed: Sun Feb 10 10:52:24 2013 +0000
>
> ----------------------------------------------------------------------
>  share/www/script/test/users_db.js  |   10 ++++++++++
>  src/couchdb/couch_js_functions.hrl |    6 ++++++
>  2 files changed, 16 insertions(+), 0 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/share/www/script/test/users_db.js
> ----------------------------------------------------------------------
> diff --git a/share/www/script/test/users_db.js b/share/www/script/test/users_db.js
> index 44e6c88..4d6e4de 100644
> --- a/share/www/script/test/users_db.js
> +++ b/share/www/script/test/users_db.js
> @@ -112,6 +112,16 @@ couchTests.users_db = function(debug) {
>      }
>      jchrisUserDoc.roles = [];
>
> +    // "roles" must be an array of strings
> +    jchrisUserDoc.roles = [12];
> +    try {
> +      usersDb.save(jchrisUserDoc);
> +      T(false && "should only allow us to save doc when roles is an array of strings");
> +    } catch(e) {
> +      TEquals(e.reason, "doc.roles can only contain strings");
> +    }
> +    jchrisUserDoc.roles = [];
> +
>      // "roles" must exist
>      delete jchrisUserDoc.roles;
>      try {
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/src/couchdb/couch_js_functions.hrl
> ----------------------------------------------------------------------
> diff --git a/src/couchdb/couch_js_functions.hrl b/src/couchdb/couch_js_functions.hrl
> index 2ecd851..774b724 100644
> --- a/src/couchdb/couch_js_functions.hrl
> +++ b/src/couchdb/couch_js_functions.hrl
> @@ -39,6 +39,12 @@
>              throw({forbidden: 'doc.roles must be an array'});
>          }
>
> +        for (var idx = 0; idx < newDoc.roles.length; idx++) {
> +            if (typeof newDoc.roles[idx] !== 'string') {
> +                throw({forbidden: 'doc.roles can only contain strings'});
> +            }
> +        }
> +
>          if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) {
>              throw({
>                  forbidden: 'Doc ID must be of the form org.couchdb.user:name'
>