You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2022/08/06 14:10:50 UTC

[couchdb] 04/21: feat(access): add new _users role for all authenticated users

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch feat/access-2022
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 48c1c1d0a32131febac84aa6071e67a18b8cbd06
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Fri Jun 24 17:13:25 2022 +0200

    feat(access): add new _users role for all authenticated users
---
 src/couch/src/couch_httpd_auth.erl | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index c74ca9bd8..d7bb7b519 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -99,6 +99,13 @@ basic_name_pw(Req) ->
             nil
     end.
 
+extract_roles(UserProps) ->
+    Roles = couch_util:get_value(<<"roles">>, UserProps, []),
+    case lists:member(<<"_admin">>, Roles) of
+        true -> Roles;
+        _ -> Roles ++ [<<"_users">>]
+    end.
+
 default_authentication_handler(Req) ->
     default_authentication_handler(Req, couch_auth_cache).
 
@@ -117,7 +124,7 @@ default_authentication_handler(Req, AuthModule) ->
                             Req#httpd{
                                 user_ctx = #user_ctx{
                                     name = UserName,
-                                    roles = couch_util:get_value(<<"roles">>, UserProps, [])
+                                    roles = extract_roles(UserProps)
                                 }
                             };
                         false ->
@@ -189,7 +196,7 @@ proxy_auth_user(Req) ->
             Roles =
                 case header_value(Req, XHeaderRoles) of
                     undefined -> [];
-                    Else -> re:split(Else, "\\s*,\\s*", [trim, {return, binary}])
+                    Else -> [<<"_users">> | re:split(Else, "\\s*,\\s*", [trim, {return, binary}])]
                 end,
             case
                 chttpd_util:get_chttpd_auth_config_boolean(
@@ -326,9 +333,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) ->
                                             Req#httpd{
                                                 user_ctx = #user_ctx{
                                                     name = ?l2b(User),
-                                                    roles = couch_util:get_value(
-                                                        <<"roles">>, UserProps, []
-                                                    )
+                                                    roles = extract_roles(UserProps)
                                                 },
                                                 auth = {FullSecret, TimeLeft < Timeout * 0.9}
                                             };
@@ -449,7 +454,7 @@ handle_session_req(#httpd{method = 'POST', mochi_req = MochiReq} = Req, AuthModu
                 {[
                     {ok, true},
                     {name, UserName},
-                    {roles, couch_util:get_value(<<"roles">>, UserProps, [])}
+                    {roles, extract_roles(UserProps)}
                 ]}
             );
         false ->