Return-Path: 
 <dev-return-13162-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 80812 invoked from network); 10 Nov 2010 15:36:21 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 10 Nov 2010 15:36:21 -0000
Received: (qmail 62405 invoked by uid 500); 10 Nov 2010 15:36:52 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 62125 invoked by uid 500); 10 Nov 2010 15:36:50 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 62117 invoked by uid 99); 10 Nov 2010 15:36:50 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Nov 2010 15:36:50 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of gsf747@gmail.com designates
 74.125.82.180 as permitted sender)
Received: from [74.125.82.180] (HELO mail-wy0-f180.google.com) (74.125.82.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Nov 2010 15:36:45 +0000
Received: by wyb42 with SMTP id 42so42585wyb.11
        for <dev@couchdb.apache.org>; Wed, 10 Nov 2010 07:36:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=v3AbgC7/ivZVkcMGpYtdfTTRu7CaKF+ge8Gq8Jh3sQU=;
        b=HaCKD28as4vghwoap/ECYh5Z3wgx11I5/Xo3OGaU+cU+E9BauiN+lH1HtVJBp9zsMQ
         c0p+62k9bd/Mce4vWbtr19zQqxwZzcb6vmVfsxzzdCx3y7vSOwIORbk9qVSpfST0oRh4
         oX7bRF+y9pVaRvWQdieuCiK+pyzcfiFRVMFBg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=Iy3zlJwg5x7D8Mb4Ruou8YgYRYrrZp8wSOcHF2YJ0AYBJd7N4vXekORaJR5vIEJ9cv
         uiezrzvVMCszad4V+cIyn8Y0OYsRuE/ciqmuU4KrVHAsrBuvwtZADy4+yurOTwQy+QYH
         9LOxXRSb2vI58q20IH//BqZYmwLzq0G1HDKg4=
MIME-Version: 1.0
Received: by 10.216.73.133 with SMTP id v5mr8489754wed.21.1289403383194; Wed,
 10 Nov 2010 07:36:23 -0800 (PST)
Received: by 10.216.239.142 with HTTP; Wed, 10 Nov 2010 07:36:23 -0800 (PST)
In-Reply-To: <AANLkTi=KPXe9-zCip=KmYkBBgbM1AQLZuoiGTg8Hkbkg@mail.gmail.com>
References: <AANLkTim-jdhu=iw0EgdeswbNzO9YRGgq3DpfcWPdz20i@mail.gmail.com>
	<AANLkTintH+F5HrZcmkAH5U4jxZ3a+k7agFkQjPeTbrZN@mail.gmail.com>
	<AANLkTi=KPXe9-zCip=KmYkBBgbM1AQLZuoiGTg8Hkbkg@mail.gmail.com>
Date: Wed, 10 Nov 2010 10:36:23 -0500
Message-ID: <AANLkTi=OMycb8KZPzDdnqOS+QFYjWQHXjJGc8zB19axN@mail.gmail.com>
Subject: Re: Bad array check in _users/_design/_auth
From: Gabriel Farrell <gsf747@gmail.com>
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 8, 2010 at 11:10 AM, Zachary Zolton
<zachary.zolton@gmail.com> wrote:
> If your version of SpiderMonkey (used for the JavaScript view server)
> supports JavaScript version 1.8.5, you can simply use the
> Array.isArray() function.

Debian testing is still on 1.7, so maybe too soon to start using
Array.isArray(), as much as I'd like to.

> Otherwise, here's an article describing the difficulties of detecting
> whether an object is an array:
> http://is.gd/gQ2i4

Thanks for the article. I'm guessing the "multiple globals" issue is
the reason I need to eval(uneval(theArray)). I had at first attempted
to test with (theArray.constructor =3D=3D=3D Array), but even though this
works in the command-line js interpreter, I couldn't access the
constructor in the validate_doc_update script.

> On Fri, Nov 5, 2010 at 12:32 PM, Gabriel Farrell <g@grrawr.com> wrote:
>> In trying to figure out how to test for an array value in
>> validate_doc_update I ran across the following in
>> _users/_design/_auth:
>>
>> =C2=A0 =C2=A0if (!(newDoc.roles && (typeof newDoc.roles.length !=3D=3D '=
undefined'))) {
>> =C2=A0 =C2=A0 =C2=A0throw({forbidden: 'doc.roles must be an array'});
>> =C2=A0 =C2=A0}
>>
>> Strings also have a length method, so this is a bad test for an array.
>> Setting "roles" to a string for any user got no complaint from
>> validate_doc_update, but thereafter I could no longer perform any
>> administrative tasks in Futon, nor log in or out, and I got "An error
>> occurred getting session info: function_clause" popping up on every
>> page. Deleting the cookie allowed me to log back in and fix the doc.
>>
>> Now that I look at it, there's also an erroneous exclamation point at
>> the start of that condition.
>>
>> After a lot of trial and error I got it working with the following:
>>
>> =C2=A0 =C2=A0if (newDoc.roles && !(eval(uneval(newDoc.roles)) instanceof=
 Array)) {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0throw({forbidden: 'doc.roles must be an array=
'});
>> =C2=A0 =C2=A0}
>>
>> If there's a less-convoluted way to test for an array, I'd be happy to s=
ee it.
>>
>> Should I put this in JIRA? If so, would the component be Futon?
>>
>>
>> Gabriel
>>
>