incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Tisdall <tisd...@gmail.com>
Subject Re: Possible validation security issue
Date Wed, 29 Aug 2012 20:25:54 GMT
I think it should probably be looking at the oldDoc like Paul said.
Then it should be preventing all editing unless the current user is
the one in the doc (including changing the author).

On the top of the couchdb definitive guide page you sent there's a
link that says "report issue"...  I'm pretty sure you found a problem
in the code.  I also didn't see an existing issue in the issue tracker
about it.

On Wed, Aug 29, 2012 at 3:01 PM, Wordit <wordituk@gmail.com> wrote:
> The function I used is from the "CouchDB Definitive Guide". It's in
> both the security and validation sections.
>
> http://guide.couchdb.org/draft/security.html
>
> "We had an update validation function that allowed us to verify that
> the claimed author of a document matched the authenticated username."
>
> Is the guide outdated, is it an error in the guide, or did I
> misunderstand what it is to be used for? Or all three perhaps?
>
>
> That aside, why does the function prevent updating all fields except
> the author field when that is the one in the validation function? What
> am I missing in couchdb's logic?
>
> Marcus

Mime
View raw message