Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9CEC8D7E1 for ; Wed, 29 Aug 2012 20:26:23 +0000 (UTC) Received: (qmail 19517 invoked by uid 500); 29 Aug 2012 20:26:22 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 19480 invoked by uid 500); 29 Aug 2012 20:26:22 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 19472 invoked by uid 99); 29 Aug 2012 20:26:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 20:26:22 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tisdall@gmail.com designates 209.85.215.52 as permitted sender) Received: from [209.85.215.52] (HELO mail-lpp01m010-f52.google.com) (209.85.215.52) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 20:26:16 +0000 Received: by lage4 with SMTP id e4so929291lag.11 for ; Wed, 29 Aug 2012 13:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=qHi4/jRctGZLulNuTiUbuk/A2qH4zQ6WGMXW+OsiXaA=; b=RsIViATCWHRYrWVdRH0DFRu8HyIAkBIWoQZNodgzzUo4Zf0JSqo49e+dZWCPNi4Re0 repUMgykWIC1RgLIeqUl+q6BmqK/TTsrQnDyrJe/zH+Ctvsva/o8sERtX+XeX3rZaFxu xlz5LzV7UOcorAf45v8OBqvc2mzPVSofW2GMTtoBGc4KZkK8D7q3aYXLKJellFJqH1oZ 5neuk+lAWwUtD6A7ji+9DwYjzhF45TT4oq5q0f3XRN6750jRr9xKARTKvYqlYxh1Q77W ME7Uu4XJ8CGWFoapR5KTZ0B2C81cF0hOfaK5VFcmtAmOfdCCNrWH3ED9lVTgaPSZlcX7 AgaA== MIME-Version: 1.0 Received: by 10.152.103.244 with SMTP id fz20mr1311351lab.54.1346271955275; Wed, 29 Aug 2012 13:25:55 -0700 (PDT) Received: by 10.112.49.170 with HTTP; Wed, 29 Aug 2012 13:25:54 -0700 (PDT) In-Reply-To: References: <6AB18F55-7141-4D4F-9CCD-850B67EE1E53@apache.org> Date: Wed, 29 Aug 2012 16:25:54 -0400 Message-ID: Subject: Re: Possible validation security issue From: Tim Tisdall To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org I think it should probably be looking at the oldDoc like Paul said. Then it should be preventing all editing unless the current user is the one in the doc (including changing the author). On the top of the couchdb definitive guide page you sent there's a link that says "report issue"... I'm pretty sure you found a problem in the code. I also didn't see an existing issue in the issue tracker about it. On Wed, Aug 29, 2012 at 3:01 PM, Wordit wrote: > The function I used is from the "CouchDB Definitive Guide". It's in > both the security and validation sections. > > http://guide.couchdb.org/draft/security.html > > "We had an update validation function that allowed us to verify that > the claimed author of a document matched the authenticated username." > > Is the guide outdated, is it an error in the guide, or did I > misunderstand what it is to be used for? Or all three perhaps? > > > That aside, why does the function prevent updating all fields except > the author field when that is the one in the validation function? What > am I missing in couchdb's logic? > > Marcus