You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/08/11 03:13:46 UTC
[couchdb] branch restrict-ddoc-update-methods created (now 9b74698)
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a change to branch restrict-ddoc-update-methods
in repository https://gitbox.apache.org/repos/asf/couchdb.git.
at 9b74698 Restrict design doc update methods
This branch includes the following new commits:
new 6582df6 Remove unused variable
new 9b74698 Restrict design doc update methods
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[couchdb] 01/02: Remove unused variable
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a commit to branch restrict-ddoc-update-methods
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 6582df6139f773e6b2c04283e5191cc612a51748
Author: Jay Doane <ja...@apache.org>
AuthorDate: Tue Aug 10 13:17:26 2021 -0700
Remove unused variable
---
src/couch/src/couch_db.erl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/couch/src/couch_db.erl b/src/couch/src/couch_db.erl
index 8837101..ead77c6 100644
--- a/src/couch/src/couch_db.erl
+++ b/src/couch/src/couch_db.erl
@@ -575,7 +575,7 @@ get_compacted_seq(#db{}=Db) ->
get_compactor_pid(#db{compactor_pid = Pid}) ->
Pid.
-get_compactor_pid_sync(#db{main_pid=Pid}=Db) ->
+get_compactor_pid_sync(#db{main_pid=Pid}) ->
case gen_server:call(Pid, compactor_pid, infinity) of
CPid when is_pid(CPid) ->
CPid;
[couchdb] 02/02: Restrict design doc update methods
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a commit to branch restrict-ddoc-update-methods
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 9b74698faf7ee8fec4af9735652a51f7ddab36cb
Author: Jay Doane <ja...@apache.org>
AuthorDate: Tue Aug 10 15:09:17 2021 -0700
Restrict design doc update methods
Documentation for design doc update functions specifies that permitted
methods are:
POST /{db}/_design/{ddoc}/_update/{func}
PUT /{db}/_design/{ddoc}/_update/{func}/{docid} [2]
But currently anything is accepted, even bogus methods such as in the
following example work:
```
$ curl -v -u adm localhost:15984/db-1/_design/ddoc/_update/change -X BOGUS
> BOGUS /db-1/_design/bar/_update/change HTTP/1.1
>
< HTTP/1.1 200 OK
< content-length: 11
< content-type: text/html; charset=utf-8
<
* Connection #0 to host localhost left intact
Empty World* Closing connection 0
```
A strict reading of the docs indicates that the null document endpoint
only allows POST [1] while the endpoint taking a document id only
allows PUT [2]. However, the examples in both cases exclusively use
POST, and also PUT doesn't make as much sense from a semantic
perspective since a new resource isn't being created, I assume the PUT
is a typo, and both should be changed to POST.
However, given the inconsistent usage even in CouchDB's own test
suite, it seems prudent to minimize incompatibility, while still
imposing reasonable restrictions, and allow either PUT or POST for
both endpoints.
[1] https://docs.couchdb.org/en/latest/api/ddoc/render.html#post--db-_design-ddoc-_update-func
[2] https://docs.couchdb.org/en/latest/api/ddoc/render.html#put--db-_design-ddoc-_update-func-docid
---
src/chttpd/src/chttpd_show.erl | 11 ++++++-----
test/elixir/test/update_documents_test.exs | 8 ++++----
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/chttpd/src/chttpd_show.erl b/src/chttpd/src/chttpd_show.erl
index c2c37c6..de1eb28 100644
--- a/src/chttpd/src/chttpd_show.erl
+++ b/src/chttpd/src/chttpd_show.erl
@@ -95,11 +95,12 @@ show_etag(#httpd{user_ctx=UserCtx}=Req, Doc, DDoc, More) ->
couch_httpd:make_etag({couch_httpd:doc_etag(DDoc), DocPart, Accept,
UserCtx#user_ctx.roles, More}).
-% /db/_design/foo/update/bar/docid
-% updates a doc based on a request
-% handle_doc_update_req(#httpd{method = 'GET'}=Req, _Db, _DDoc) ->
-% % anything but GET
-% send_method_not_allowed(Req, "POST,PUT,DELETE,ETC");
+
+handle_doc_update_req(#httpd{
+ method=Method,
+ path_parts=[_, <<"_design">>, _, <<"_update">> | _MaybeDocIdParts]
+ }=Req, _Db, _DDoc) when Method =/= 'POST' andalso Method =/= 'PUT' ->
+ chttpd:send_method_not_allowed(Req, "POST,PUT");
handle_doc_update_req(#httpd{
path_parts=[_, _, _, _, UpdateName]
diff --git a/test/elixir/test/update_documents_test.exs b/test/elixir/test/update_documents_test.exs
index c29b31a..a518e0f 100644
--- a/test/elixir/test/update_documents_test.exs
+++ b/test/elixir/test/update_documents_test.exs
@@ -135,7 +135,7 @@ defmodule UpdateDocumentsTest do
# Fix for COUCHDB-379
assert String.starts_with?(resp.headers["Server"], "CouchDB")
- resp = Couch.put("/#{db_name}/_design/update/_update/hello")
+ resp = Couch.post("/#{db_name}/_design/update/_update/hello")
assert resp.status_code == 200
assert resp.body == "<p>Empty World</p>"
end
@@ -246,7 +246,7 @@ defmodule UpdateDocumentsTest do
test "Server provides UUID when POSTing without an ID in the URL", context do
db_name = context[:db_name]
create_doc(db_name, @ddoc)
- resp = Couch.put("/#{db_name}/_design/update/_update/get-uuid/")
+ resp = Couch.post("/#{db_name}/_design/update/_update/get-uuid/")
assert resp.status_code == 200
assert String.length(resp.body) == 32
end
@@ -286,10 +286,10 @@ defmodule UpdateDocumentsTest do
assert resp.status_code == 200
assert resp.body["counter"] == 3
- resp = Couch.put("/#{db_name}/_design/update/_update/resp-code/")
+ resp = Couch.post("/#{db_name}/_design/update/_update/resp-code/")
assert resp.status_code == 302
- resp = Couch.put("/#{db_name}/_design/update/_update/resp-code-and-json/")
+ resp = Couch.post("/#{db_name}/_design/update/_update/resp-code-and-json/")
assert resp.status_code == 302
assert resp.body["ok"] == true
end