You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by va...@apache.org on 2020/04/06 22:02:01 UTC
[couchdb] 03/05: Do not allow editing _security in _user database
This is an automated email from the ASF dual-hosted git repository.
vatamane pushed a commit to branch fix-api-corner-cases-and-make-chttpd-pass
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 3c7f8f2af4eaeb39285730693ca242a2c98e6688
Author: Nick Vatamaniuc <va...@apache.org>
AuthorDate: Mon Apr 6 17:48:59 2020 -0400
Do not allow editing _security in _user database
It should only be allowed if explicitly configured. Previously we did not
propertly match on the database name and effectively always allowed it.
---
src/chttpd/src/chttpd_db.erl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/chttpd/src/chttpd_db.erl b/src/chttpd/src/chttpd_db.erl
index 1d7798e..384b1f1 100644
--- a/src/chttpd/src/chttpd_db.erl
+++ b/src/chttpd/src/chttpd_db.erl
@@ -1962,7 +1962,7 @@ extract_header_rev(Req, ExplicitRev) ->
end.
validate_security_can_be_edited(DbName) ->
- UserDbName = config:get("chttpd_auth", "authentication_db", "_users"),
+ UserDbName = ?l2b(config:get("chttpd_auth", "authentication_db", "_users")),
CanEditUserSecurityObject = config:get("couchdb","users_db_security_editable","false"),
case {DbName,CanEditUserSecurityObject} of
{UserDbName,"false"} ->