incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Tisdall <tisd...@gmail.com>
Subject Re: Possible validation security issue
Date Wed, 29 Aug 2012 20:32:04 GMT
okay.. seems I hit "send" to quickly...  read this section:
http://guide.couchdb.org/draft/validation.html#authorship

I think that chunk of code is to ensure that when someone saves a
change to a document that they also have to sign it with their own
user name.  So, changing the user name in the document isn't a way to
circumvent the security, it's something that the validator is
enforcing so the document always has the author of the last person to
edit it.

So, not a bug in the document, just a misunderstanding of the
intention of the code...

-Tim

On Wed, Aug 29, 2012 at 4:25 PM, Tim Tisdall <tisdall@gmail.com> wrote:
> I think it should probably be looking at the oldDoc like Paul said.
> Then it should be preventing all editing unless the current user is
> the one in the doc (including changing the author).
>
> On the top of the couchdb definitive guide page you sent there's a
> link that says "report issue"...  I'm pretty sure you found a problem
> in the code.  I also didn't see an existing issue in the issue tracker
> about it.
>
> On Wed, Aug 29, 2012 at 3:01 PM, Wordit <wordituk@gmail.com> wrote:
>> The function I used is from the "CouchDB Definitive Guide". It's in
>> both the security and validation sections.
>>
>> http://guide.couchdb.org/draft/security.html
>>
>> "We had an update validation function that allowed us to verify that
>> the claimed author of a document matched the authenticated username."
>>
>> Is the guide outdated, is it an error in the guide, or did I
>> misunderstand what it is to be used for? Or all three perhaps?
>>
>>
>> That aside, why does the function prevent updating all fields except
>> the author field when that is the one in the validation function? What
>> am I missing in couchdb's logic?
>>
>> Marcus

Mime
View raw message