incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Klein <st.fankl...@googlemail.com>
Subject Re: PUT on _update/docid1 but create a new document with _id:docid2?
Date Fri, 19 Nov 2010 23:35:39 GMT
Hi Jan,

Am 19.11.2010 23:55, schrieb Jan Lehnardt:
>  On 19 Nov 2010, at 23:48, Stefan Klein wrote:
> > Am 19.11.2010 13:54, schrieb Jan Lehnardt:
> >> On 19 Nov 2010, at 11:55, Stefan Klein wrote:
> >>> Hi List,
> >>>
> >>> [ ... snip ...] Now i'm pretty unsure if this is an evil hack
> >>> or even a bug in couchdb which get's fixed or if it's just a
> >>> relay cool feature.
> >> Looks like it is working as advertised :) — Beware though that if
> >> you allow anyone to write to your database, people could run some
> >> arbitrary JavaScript code. Worst that could happen though is
> >> making infinite loops that CouchDB kills after 5 seconds and then
> >> make many of them concurrently, i.e. a classical DoS situation.
> >>
> >> If it's only you that talks to the database, this looks like a
> >> neat hack :)
> >>
> >> Cheers Jan
> > Which can be handled by the validate function, only users with a
> > specific role may create/update documents of a special type. Thank
> > you!
>
>  Actually, the validation function runs after the update function.

The critical document is the document with the ID which gets PUTed on, 
not the newly submitted document.
For those configuration documents (_id:www.youtube.com in my example) 
containing the evaled code I'm going to restrict create/update access to 
trusted users.

regards,
Stefan



Mime
View raw message