incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <>
Subject Re: Possible validation security issue
Date Thu, 30 Aug 2012 21:49:29 GMT
I'm really struggling to believe that many people would read this code;

function (newDoc, oldDoc, userCtx) {
 if ( {
   if( != {
     throw({"forbidden": "You may only update documents with author " +});

and think it prevented the changing of the author field. That code simply isn't there, couchdb
isn't magically adding the code you didn't write.


On 30 Aug 2012, at 22:33, Tim Tisdall wrote:

> ^_^  I'm fairly new to couchdb, too.  I only figured that out because
> I saw on the page you linked to that it referred to a previous chapter
> and I went to it to see if there was any clarification or if the code
> was the same.  It probably should be tweaked a bit so it's a little
> more clear what the chunk of code is intended to do.
> You should post something in the issues tracker and see if they'll change it...
> -Tim
> On Thu, Aug 30, 2012 at 5:09 PM, Wordit <> wrote:
>> On Wed, Aug 29, 2012 at 10:32 PM, Tim Tisdall <> wrote:
>>> I think that chunk of code is to ensure that when someone saves a
>>> change to a document that they also have to sign it with their own
>>> user name.
>> That would certainly make sense for a wiki application, but I think
>> it's unclear because "author" is not defined. Is it the current user
>> editing the document, or the previous user who edited the document?
>> The example is misleading to people learning couchDB. In my case, I'm
>> re-visiting couchDB after 20 months not using it and had forgotten
>> about how oldDoc/newDoc works. I found the same code example referring
>> to the definitive guide in another post, possibly in a different
>> forum. The poster had the same expectation I did and the people
>> replying did not correct or change that expectation.
>> When you have more in-depth knowledge of how couchDB works it all
>> seems obvious, I'm sure. You probably wonder how anyone could possibly
>> misunderstand.
>> Marcus

View raw message