You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Benoit Chesneau <bc...@gmail.com> on 2013/02/10 13:56:13 UTC
Re: git commit: Only allow strings in user doc "roles" array
sounds good for me
On Sun, Feb 10, 2013 at 11:53 AM, <rn...@apache.org> wrote:
> Updated Branches:
> refs/heads/1675-fix-roles-validation [created] 5f507095a
>
>
> Only allow strings in user doc "roles" array
>
> We validate that _security documents only contain strings but we have
> not done the same for the roles field in user docs. This is a breaking
> change as users may have been inserting other things (notably,
> objects) in this field.
>
> COUCHDB-1675
>
>
> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5f507095
> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5f507095
> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5f507095
>
> Branch: refs/heads/1675-fix-roles-validation
> Commit: 5f507095a0c7996391f6ca37a30fd0c4829b5e45
> Parents: 3b103eb
> Author: Robert Newson <rn...@apache.org>
> Authored: Sun Feb 10 10:52:24 2013 +0000
> Committer: Robert Newson <rn...@apache.org>
> Committed: Sun Feb 10 10:52:24 2013 +0000
>
> ----------------------------------------------------------------------
> share/www/script/test/users_db.js | 10 ++++++++++
> src/couchdb/couch_js_functions.hrl | 6 ++++++
> 2 files changed, 16 insertions(+), 0 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/share/www/script/test/users_db.js
> ----------------------------------------------------------------------
> diff --git a/share/www/script/test/users_db.js b/share/www/script/test/users_db.js
> index 44e6c88..4d6e4de 100644
> --- a/share/www/script/test/users_db.js
> +++ b/share/www/script/test/users_db.js
> @@ -112,6 +112,16 @@ couchTests.users_db = function(debug) {
> }
> jchrisUserDoc.roles = [];
>
> + // "roles" must be an array of strings
> + jchrisUserDoc.roles = [12];
> + try {
> + usersDb.save(jchrisUserDoc);
> + T(false && "should only allow us to save doc when roles is an array of strings");
> + } catch(e) {
> + TEquals(e.reason, "doc.roles can only contain strings");
> + }
> + jchrisUserDoc.roles = [];
> +
> // "roles" must exist
> delete jchrisUserDoc.roles;
> try {
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/src/couchdb/couch_js_functions.hrl
> ----------------------------------------------------------------------
> diff --git a/src/couchdb/couch_js_functions.hrl b/src/couchdb/couch_js_functions.hrl
> index 2ecd851..774b724 100644
> --- a/src/couchdb/couch_js_functions.hrl
> +++ b/src/couchdb/couch_js_functions.hrl
> @@ -39,6 +39,12 @@
> throw({forbidden: 'doc.roles must be an array'});
> }
>
> + for (var idx = 0; idx < newDoc.roles.length; idx++) {
> + if (typeof newDoc.roles[idx] !== 'string') {
> + throw({forbidden: 'doc.roles can only contain strings'});
> + }
> + }
> +
> if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) {
> throw({
> forbidden: 'Doc ID must be of the form org.couchdb.user:name'
>