couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: DB ACLs (was Re: 0.11 Release / Feature Freeze for 1.0)
Date Mon, 08 Feb 2010 16:19:46 GMT
Sorry to drag on about this, but I have another problem with the readeracl
branch.

As far as I can tell, it's impossible to test in validate_doc_update whether
the user is listed in the database-level _admins resource.  Example:

$ curl http://brianadmin:brianadmin@127.0.0.1:5984/briantest/_admins
{"names":["brianadmin"],"roles":[]}

$ curl -X PUT -d'{"validate_doc_update":"function(newDoc,oldDoc,userCtx,secObj) {if (userCtx.roles.indexOf(\"_admin\")
== -1) {throw {unauthorized: \"You are not an admin\"+toJSON(userCtx)};}}"}' 'http://brianadmin:brianadmin@127.0.0.1:5984/briantest/_design/testadmin'
{"ok":true,"id":"_design/testadmin","rev":"1-3a33960e65f156773478f357aaf67471"}

$ curl -X PUT -d "{}" http://brianadmin:brianadmin@127.0.0.1:5984/briantest/foo
{"error":"unauthorized","reason":"You are not an admin{\"db\":\"briantest\",\"name\":\"brianadmin\",\"roles\":[]}"}

That is, the "_admin" role is only visible here if you are a server-wide
admin, not if you are a database-level admin.

As a result, if you want database-level admins to have any special
privileges with regards to updating documents, you have to list them again
in the _security document.

I don't think this is clear in the security_validation.js test, because it
uses X-Couch-Test-Auth, which gives _admin role when not logged in as any
particular user. So

      T(db.setDbProperty("_security", {admin_override : true}).ok);
      T(db.save(doc).ok);

only works because the _admin role is set here, not because the user is in
_admins.

Regards,

Brian.

Mime
View raw message