You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Adam Kocoloski <ad...@gmail.com> on 2008/12/03 19:55:09 UTC
Re: New Security and Validation Features
On Nov 21, 2008, at 5:12 PM, Damien Katz wrote:
> -Authorization/Validation-
>
> Each design document can contain a document update validation
> function. Like views, these can be in any language. The language is
> set at the design document level.
>
> On document update -- either via interactive update or via
> replication -- each is run in succession. These validation functions
> are responsible for enforcing document constraints or schemas, and
> to enforce security.
>
> Validation functions are provided the new document, previous
> revision of the document on disk, and the user context. The user
> context has the users name and roles.
>
> If the document values don't pass validation, a forbidden exception
> is returned If the user isn't allow to update the document, a
> unauthorized exception is returned.
>
> This scheme can be used for signature based security (is the update
> signed by an authorized user) or user based security (is the user
> currently writing the update an authorized user).
>
> This user based example ensures that every document has an authors
> field and when updating an existing document, you are an allowed
> author, or a moderator:
>
> function(newDocument, previousDocument, userCtx) {
> if (!newDocument._deleted && !newDocument.author) {
> throw {forbidden, "All documents must have an author specified."}
> }
> if (previousDocument &&
> previousDocument.author != userCtx.name &&
> userCtx.roles.indexOf("Discussion Moderator") == -1) {
> throw {unauthorized, "You are not the author of this document."}
> }
> }
>
> The validation works with replication too, all updates, whether
> interactive or replicated are validated. But the replication still
> needs testing and might be buggy on update failures.
>
> That's all for now. Question and comments please.
>
> -Damien
Hi Damien, cool stuff. Could we have it so that the user context
passed to the validation function includes a role of "_admin" if the
user's name is in the DB admins list? Maybe something as simple as
diff --git a/trunk/src/couchdb/couch_db.erl b/trunk/src/couchdb/
couch_db.erl
index 7de5b8d..4eed8bc 100644
--- a/trunk/src/couchdb/couch_db.erl
+++ b/trunk/src/couchdb/couch_db.erl
@@ -231,9 +231,14 @@ validate_doc_update(_Db, #doc{id= <<"_local/",_/
binary>>}=Doc, _GetDiskDocFun) -
Doc;
validate_doc_update(#db{name=DbName,user_ctx=Ctx}=Db, Doc,
GetDiskDocFun) ->
DiskDoc = GetDiskDocFun(),
+ UserName = Ctx#user_ctx.name,
+ Roles = Ctx#user_ctx.roles ++ case lists:member(UserName,
Db#db.admins) of
+ true -> [<<"_admin">>];
+ false -> []
+ end,
JsonCtx = {[{<<"db">>, DbName},
- {<<"name">>,Ctx#user_ctx.name},
- {<<"roles">>,Ctx#user_ctx.roles}]},
+ {<<"name">>,UserName},
+ {<<"roles">>,Roles}]},
[case Fun(Doc, DiskDoc, JsonCtx) of
ok -> ok;
Error -> throw(Error)
Best, Adam
Re: New Security and Validation Features
Posted by Adam Kocoloski <ad...@gmail.com>.
On Dec 3, 2008, at 8:01 PM, Chris Anderson wrote:
> On Wed, Dec 3, 2008 at 10:55 AM, Adam Kocoloski
> <ad...@gmail.com> wrote:
>>
>> Hi Damien, cool stuff. Could we have it so that the user context
>> passed to
>> the validation function includes a role of "_admin" if the user's
>> name is in
>> the DB admins list?
>
> Why not just go all the way and include the full list of the user's
> roles?
Hi Chris, that's the goal. All the other roles are already being
included in the context passed to the validation function. DB admin
is a bit of a special case since its a calculated quantity --
specifically, a user is a DBA if there's a non-zero intersection
between [#user_ctx.name | #user_ctx.roles] and #db.admins.
In the patch I appended _admin to the list of roles. I didn't replace
the existing ones. Best,
Adam
Re: New Security and Validation Features
Posted by Chris Anderson <jc...@apache.org>.
On Wed, Dec 3, 2008 at 10:55 AM, Adam Kocoloski
<ad...@gmail.com> wrote:
>
> Hi Damien, cool stuff. Could we have it so that the user context passed to
> the validation function includes a role of "_admin" if the user's name is in
> the DB admins list?
Why not just go all the way and include the full list of the user's roles?
--
Chris Anderson
http://jchris.mfdz.com