couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject git commit: Only allow strings in user doc "roles" array
Date Sun, 10 Feb 2013 10:53:54 GMT
Updated Branches:
  refs/heads/1675-fix-roles-validation [created] 5f507095a


Only allow strings in user doc "roles" array

We validate that _security documents only contain strings but we have
not done the same for the roles field in user docs. This is a breaking
change as users may have been inserting other things (notably,
objects) in this field.

COUCHDB-1675


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5f507095
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5f507095
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5f507095

Branch: refs/heads/1675-fix-roles-validation
Commit: 5f507095a0c7996391f6ca37a30fd0c4829b5e45
Parents: 3b103eb
Author: Robert Newson <rnewson@apache.org>
Authored: Sun Feb 10 10:52:24 2013 +0000
Committer: Robert Newson <rnewson@apache.org>
Committed: Sun Feb 10 10:52:24 2013 +0000

----------------------------------------------------------------------
 share/www/script/test/users_db.js  |   10 ++++++++++
 src/couchdb/couch_js_functions.hrl |    6 ++++++
 2 files changed, 16 insertions(+), 0 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/share/www/script/test/users_db.js
----------------------------------------------------------------------
diff --git a/share/www/script/test/users_db.js b/share/www/script/test/users_db.js
index 44e6c88..4d6e4de 100644
--- a/share/www/script/test/users_db.js
+++ b/share/www/script/test/users_db.js
@@ -112,6 +112,16 @@ couchTests.users_db = function(debug) {
     }
     jchrisUserDoc.roles = [];
 
+    // "roles" must be an array of strings
+    jchrisUserDoc.roles = [12];
+    try {
+      usersDb.save(jchrisUserDoc);
+      T(false && "should only allow us to save doc when roles is an array of strings");
+    } catch(e) {
+      TEquals(e.reason, "doc.roles can only contain strings");
+    }
+    jchrisUserDoc.roles = [];
+
     // "roles" must exist
     delete jchrisUserDoc.roles;
     try {

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/src/couchdb/couch_js_functions.hrl
----------------------------------------------------------------------
diff --git a/src/couchdb/couch_js_functions.hrl b/src/couchdb/couch_js_functions.hrl
index 2ecd851..774b724 100644
--- a/src/couchdb/couch_js_functions.hrl
+++ b/src/couchdb/couch_js_functions.hrl
@@ -39,6 +39,12 @@
             throw({forbidden: 'doc.roles must be an array'});
         }
 
+        for (var idx = 0; idx < newDoc.roles.length; idx++) {
+            if (typeof newDoc.roles[idx] !== 'string') {
+                throw({forbidden: 'doc.roles can only contain strings'});
+            }
+        }
+
         if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) {
             throw({
                 forbidden: 'Doc ID must be of the form org.couchdb.user:name'


Mime
View raw message