You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by va...@apache.org on 2020/04/06 22:02:01 UTC

[couchdb] 03/05: Do not allow editing _security in _user database

This is an automated email from the ASF dual-hosted git repository.

vatamane pushed a commit to branch fix-api-corner-cases-and-make-chttpd-pass
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 3c7f8f2af4eaeb39285730693ca242a2c98e6688
Author: Nick Vatamaniuc <va...@apache.org>
AuthorDate: Mon Apr 6 17:48:59 2020 -0400

    Do not allow editing _security in _user database
    
    It should only be allowed if explicitly configured. Previously we did not
    propertly match on the database name and effectively always allowed it.
---
 src/chttpd/src/chttpd_db.erl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/chttpd/src/chttpd_db.erl b/src/chttpd/src/chttpd_db.erl
index 1d7798e..384b1f1 100644
--- a/src/chttpd/src/chttpd_db.erl
+++ b/src/chttpd/src/chttpd_db.erl
@@ -1962,7 +1962,7 @@ extract_header_rev(Req, ExplicitRev) ->
     end.
 
 validate_security_can_be_edited(DbName) ->
-    UserDbName = config:get("chttpd_auth", "authentication_db", "_users"),
+    UserDbName = ?l2b(config:get("chttpd_auth", "authentication_db", "_users")),
     CanEditUserSecurityObject = config:get("couchdb","users_db_security_editable","false"),
     case {DbName,CanEditUserSecurityObject} of
         {UserDbName,"false"} ->