You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by jc...@apache.org on 2010/01/09 20:05:31 UTC

svn commit: r897521 - in /couchdb/trunk: share/www/script/test/cookie_auth.js share/www/script/test/users_db.js src/couchdb/couch_httpd_auth.erl

Author: jchris
Date: Sat Jan  9 19:05:31 2010
New Revision: 897521

URL: http://svn.apache.org/viewvc?rev=897521&view=rev
Log:
better validations on users db

Modified:
    couchdb/trunk/share/www/script/test/cookie_auth.js
    couchdb/trunk/share/www/script/test/users_db.js
    couchdb/trunk/src/couchdb/couch_httpd_auth.erl

Modified: couchdb/trunk/share/www/script/test/cookie_auth.js
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/test/cookie_auth.js?rev=897521&r1=897520&r2=897521&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/test/cookie_auth.js (original)
+++ couchdb/trunk/share/www/script/test/cookie_auth.js Sat Jan  9 19:05:31 2010
@@ -99,14 +99,6 @@
         T(e.error == "forbidden");
         T(usersDb.last_req.status == 403);
       }
-
-      try {
-        usersDb.save(underscoreUserDoc)
-        T(false && "Can't create underscore user names. Should have thrown an error.");
-      } catch (e) {
-        T(e.error == "forbidden");
-        T(usersDb.last_req.status == 403);
-      }
       
       // login works
       T(CouchDB.login('Jason Davies', password).ok);
@@ -115,6 +107,15 @@
       // update one's own credentials document
       jasonUserDoc.foo=2;
       T(usersDb.save(jasonUserDoc).ok);
+      T(CouchDB.session().roles.indexOf("_admin") == -1);
+      // can't delete another users doc unless you are admin
+      try {
+        usersDb.deleteDoc(jchrisUserDoc);
+        T(false && "Can't delete other users docs. Should have thrown an error.");
+      } catch (e) {
+        T(e.error == "forbidden");
+        T(usersDb.last_req.status == 403);
+      }
 
       // TODO should login() throw an exception here?
        T(!CouchDB.login('Jason Davies', "2.71828").ok);

Modified: couchdb/trunk/share/www/script/test/users_db.js
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/test/users_db.js?rev=897521&r1=897520&r2=897521&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/test/users_db.js (original)
+++ couchdb/trunk/share/www/script/test/users_db.js Sat Jan  9 19:05:31 2010
@@ -37,13 +37,15 @@
     T(usersDb.save(jchrisUserDoc).ok);
     
     T(CouchDB.session().name == null);
+
+    // test that you can use basic auth aginst the users db
     var s = CouchDB.session({
       headers : {
         "Authorization" : "Basic amNocmlzQGFwYWNoZS5vcmc6ZnVubnlib25l"
       }
     });
     T(s.name == "jchris@apache.org");
-    T(s.user_doc._id == "org.couchdb.user:jchris@apache.org")
+    T(s.user_doc._id == "org.couchdb.user:jchris@apache.org");
     T(s.info.authenticated == "{couch_httpd_auth, default_authentication_handler}");
     T(s.info.user_db == "test_suite_users");
     TEquals(["{couch_httpd_oauth, oauth_authentication_handler}", 

Modified: couchdb/trunk/src/couchdb/couch_httpd_auth.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd_auth.erl?rev=897521&r1=897520&r2=897521&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_httpd_auth.erl (original)
+++ couchdb/trunk/src/couchdb/couch_httpd_auth.erl Sat Jan  9 19:05:31 2010
@@ -130,7 +130,13 @@
     try couch_httpd_db:couch_doc_open(Db, DocId, nil, []) of
         #doc{}=Doc ->
             {DocProps} = couch_query_servers:json_doc(Doc),
-            DocProps
+            case proplists:get_value(<<"type">>, DocProps) of
+                <<"user">> -> 
+                    DocProps;
+                _Else -> 
+                    ?LOG_ERROR("Invalid user doc. Id: ~p",[DocId]),
+                    nil
+            end
     catch
         throw:Throw ->
             nil        
@@ -164,19 +170,21 @@
     DocProps = [
         {<<"_id">>, DocId},
         {<<"language">>,<<"javascript">>},
-        {<<"views">>,
-            {[{<<"users">>,
-                {[{<<"map">>,
-                    <<"function (doc) {\n if (doc.type == \"user\") {\n        emit(doc.username, doc);\n}\n}">>
-                }]}
-            }]}
-        },
         {
             <<"validate_doc_update">>,
             <<"function(newDoc, oldDoc, userCtx) {
-                if (newDoc.type != 'user') {
+                if ((oldDoc || newDoc).type != 'user') {
                     return;
                 } // we only validate user docs for now
+                if (newDoc._deleted === true) {
+                    // allow deletes by admins and matching users 
+                    // without checking the other fields
+                    if ((userCtx.roles.indexOf('_admin') != -1) || (userCtx.name == oldDoc.username)) {
+                        return;
+                    } else {
+                        throw({forbidden : 'Only admins may delete other user docs.'});
+                    }
+                }
                 if (!newDoc.username) {
                     throw({forbidden : 'doc.username is required'});
                 }