couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriel Farrell <gsf...@gmail.com>
Subject Re: Bad array check in _users/_design/_auth
Date Wed, 10 Nov 2010 15:36:23 GMT
On Mon, Nov 8, 2010 at 11:10 AM, Zachary Zolton
<zachary.zolton@gmail.com> wrote:
> If your version of SpiderMonkey (used for the JavaScript view server)
> supports JavaScript version 1.8.5, you can simply use the
> Array.isArray() function.

Debian testing is still on 1.7, so maybe too soon to start using
Array.isArray(), as much as I'd like to.

> Otherwise, here's an article describing the difficulties of detecting
> whether an object is an array:
> http://is.gd/gQ2i4

Thanks for the article. I'm guessing the "multiple globals" issue is
the reason I need to eval(uneval(theArray)). I had at first attempted
to test with (theArray.constructor === Array), but even though this
works in the command-line js interpreter, I couldn't access the
constructor in the validate_doc_update script.

> On Fri, Nov 5, 2010 at 12:32 PM, Gabriel Farrell <g@grrawr.com> wrote:
>> In trying to figure out how to test for an array value in
>> validate_doc_update I ran across the following in
>> _users/_design/_auth:
>>
>>    if (!(newDoc.roles && (typeof newDoc.roles.length !== 'undefined')))
{
>>      throw({forbidden: 'doc.roles must be an array'});
>>    }
>>
>> Strings also have a length method, so this is a bad test for an array.
>> Setting "roles" to a string for any user got no complaint from
>> validate_doc_update, but thereafter I could no longer perform any
>> administrative tasks in Futon, nor log in or out, and I got "An error
>> occurred getting session info: function_clause" popping up on every
>> page. Deleting the cookie allowed me to log back in and fix the doc.
>>
>> Now that I look at it, there's also an erroneous exclamation point at
>> the start of that condition.
>>
>> After a lot of trial and error I got it working with the following:
>>
>>    if (newDoc.roles && !(eval(uneval(newDoc.roles)) instanceof Array))
{
>>        throw({forbidden: 'doc.roles must be an array'});
>>    }
>>
>> If there's a less-convoluted way to test for an array, I'd be happy to see it.
>>
>> Should I put this in JIRA? If so, would the component be Futon?
>>
>>
>> Gabriel
>>
>

Mime
View raw message