You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/08/11 04:37:21 UTC
[couchdb] branch restrict-ddoc-update-methods updated (9b74698 ->
53521aa)
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a change to branch restrict-ddoc-update-methods
in repository https://gitbox.apache.org/repos/asf/couchdb.git.
discard 9b74698 Restrict design doc update methods
new 53521aa Restrict design doc update methods
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (9b74698)
\
N -- N -- N refs/heads/restrict-ddoc-update-methods (53521aa)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
test/elixir/test/update_documents_test.exs | 11 +++++++++++
1 file changed, 11 insertions(+)
[couchdb] 01/01: Restrict design doc update methods
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a commit to branch restrict-ddoc-update-methods
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 53521aaeba180ebc01e5e7a1a71d6cacb3a97a6f
Author: Jay Doane <ja...@apache.org>
AuthorDate: Tue Aug 10 15:09:17 2021 -0700
Restrict design doc update methods
Documentation for design doc update functions specifies that permitted
methods are:
POST /{db}/_design/{ddoc}/_update/{func}
PUT /{db}/_design/{ddoc}/_update/{func}/{docid} [2]
But currently anything is accepted, even bogus methods such as in the
following example work:
```
$ curl -v -u adm localhost:15984/db-1/_design/ddoc/_update/change -X BOGUS
> BOGUS /db-1/_design/bar/_update/change HTTP/1.1
>
< HTTP/1.1 200 OK
< content-length: 11
< content-type: text/html; charset=utf-8
<
* Connection #0 to host localhost left intact
Empty World* Closing connection 0
```
A strict reading of the docs indicates that the null document endpoint
only allows POST [1] while the endpoint taking a document id only
allows PUT [2]. However, the examples in both cases exclusively use
POST, and also PUT doesn't make as much sense from a semantic
perspective since a new resource isn't being created, I assume the PUT
is a typo, and both should be changed to POST.
However, given the inconsistent usage even in CouchDB's own test
suite, it seems prudent to minimize incompatibility, while still
imposing reasonable restrictions, and allow either PUT or POST for
both endpoints.
[1] https://docs.couchdb.org/en/latest/api/ddoc/render.html#post--db-_design-ddoc-_update-func
[2] https://docs.couchdb.org/en/latest/api/ddoc/render.html#put--db-_design-ddoc-_update-func-docid
---
src/chttpd/src/chttpd_show.erl | 11 ++++++-----
test/elixir/test/update_documents_test.exs | 19 +++++++++++++++----
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/src/chttpd/src/chttpd_show.erl b/src/chttpd/src/chttpd_show.erl
index c2c37c6..de1eb28 100644
--- a/src/chttpd/src/chttpd_show.erl
+++ b/src/chttpd/src/chttpd_show.erl
@@ -95,11 +95,12 @@ show_etag(#httpd{user_ctx=UserCtx}=Req, Doc, DDoc, More) ->
couch_httpd:make_etag({couch_httpd:doc_etag(DDoc), DocPart, Accept,
UserCtx#user_ctx.roles, More}).
-% /db/_design/foo/update/bar/docid
-% updates a doc based on a request
-% handle_doc_update_req(#httpd{method = 'GET'}=Req, _Db, _DDoc) ->
-% % anything but GET
-% send_method_not_allowed(Req, "POST,PUT,DELETE,ETC");
+
+handle_doc_update_req(#httpd{
+ method=Method,
+ path_parts=[_, <<"_design">>, _, <<"_update">> | _MaybeDocIdParts]
+ }=Req, _Db, _DDoc) when Method =/= 'POST' andalso Method =/= 'PUT' ->
+ chttpd:send_method_not_allowed(Req, "POST,PUT");
handle_doc_update_req(#httpd{
path_parts=[_, _, _, _, UpdateName]
diff --git a/test/elixir/test/update_documents_test.exs b/test/elixir/test/update_documents_test.exs
index c29b31a..df5856b 100644
--- a/test/elixir/test/update_documents_test.exs
+++ b/test/elixir/test/update_documents_test.exs
@@ -106,6 +106,17 @@ defmodule UpdateDocumentsTest do
@document %{word: "plankton", name: "Rusty"}
@tag :with_db
+ test "update error method not allowed", context do
+ db_name = context[:db_name]
+ create_doc(db_name, @ddoc)
+
+ resp = Couch.get("/#{db_name}/_design/update/_update/")
+ assert resp.status_code == 405
+ assert resp.body["error"] == "method_not_allowed"
+ assert resp.body["reason"] == "Only POST,PUT allowed"
+ end
+
+ @tag :with_db
test "update error invalid path", context do
db_name = context[:db_name]
create_doc(db_name, @ddoc)
@@ -135,7 +146,7 @@ defmodule UpdateDocumentsTest do
# Fix for COUCHDB-379
assert String.starts_with?(resp.headers["Server"], "CouchDB")
- resp = Couch.put("/#{db_name}/_design/update/_update/hello")
+ resp = Couch.post("/#{db_name}/_design/update/_update/hello")
assert resp.status_code == 200
assert resp.body == "<p>Empty World</p>"
end
@@ -246,7 +257,7 @@ defmodule UpdateDocumentsTest do
test "Server provides UUID when POSTing without an ID in the URL", context do
db_name = context[:db_name]
create_doc(db_name, @ddoc)
- resp = Couch.put("/#{db_name}/_design/update/_update/get-uuid/")
+ resp = Couch.post("/#{db_name}/_design/update/_update/get-uuid/")
assert resp.status_code == 200
assert String.length(resp.body) == 32
end
@@ -286,10 +297,10 @@ defmodule UpdateDocumentsTest do
assert resp.status_code == 200
assert resp.body["counter"] == 3
- resp = Couch.put("/#{db_name}/_design/update/_update/resp-code/")
+ resp = Couch.post("/#{db_name}/_design/update/_update/resp-code/")
assert resp.status_code == 302
- resp = Couch.put("/#{db_name}/_design/update/_update/resp-code-and-json/")
+ resp = Couch.post("/#{db_name}/_design/update/_update/resp-code-and-json/")
assert resp.status_code == 302
assert resp.body["ok"] == true
end