couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Possible validation security issue
Date Thu, 30 Aug 2012 21:49:29 GMT
I'm really struggling to believe that many people would read this code;

function (newDoc, oldDoc, userCtx) {
 if (newDoc.author) {
   if(newDoc.author != userCtx.name) {
     throw({"forbidden": "You may only update documents with author " +
       userCtx.name});
   }
 }
}

and think it prevented the changing of the author field. That code simply isn't there, couchdb
isn't magically adding the code you didn't write.

B.

On 30 Aug 2012, at 22:33, Tim Tisdall wrote:

> ^_^  I'm fairly new to couchdb, too.  I only figured that out because
> I saw on the page you linked to that it referred to a previous chapter
> and I went to it to see if there was any clarification or if the code
> was the same.  It probably should be tweaked a bit so it's a little
> more clear what the chunk of code is intended to do.
> 
> You should post something in the issues tracker and see if they'll change it...
> 
> -Tim
> 
> On Thu, Aug 30, 2012 at 5:09 PM, Wordit <wordituk@gmail.com> wrote:
>> On Wed, Aug 29, 2012 at 10:32 PM, Tim Tisdall <tisdall@gmail.com> wrote:
>>> 
>>> I think that chunk of code is to ensure that when someone saves a
>>> change to a document that they also have to sign it with their own
>>> user name.
>> 
>> That would certainly make sense for a wiki application, but I think
>> it's unclear because "author" is not defined. Is it the current user
>> editing the document, or the previous user who edited the document?
>> 
>> The example is misleading to people learning couchDB. In my case, I'm
>> re-visiting couchDB after 20 months not using it and had forgotten
>> about how oldDoc/newDoc works. I found the same code example referring
>> to the definitive guide in another post, possibly in a different
>> forum. The poster had the same expectation I did and the people
>> replying did not correct or change that expectation.
>> 
>> When you have more in-depth knowledge of how couchDB works it all
>> seems obvious, I'm sure. You probably wonder how anyone could possibly
>> misunderstand.
>> 
>> 
>> Marcus


Mime
View raw message