Return-Path: 
 <user-return-21896-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 7EB77D913
	for <apmail-couchdb-user-archive@www.apache.org>;
 Wed, 29 Aug 2012 19:02:57 +0000 (UTC)
Received: (qmail 36949 invoked by uid 500); 29 Aug 2012 19:02:55 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 36912 invoked by uid 500); 29 Aug 2012 19:02:55 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 36902 invoked by uid 99); 29 Aug 2012 19:02:55 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 19:02:55 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of wordituk@gmail.com designates
 209.85.210.180 as permitted sender)
Received: from [209.85.210.180] (HELO mail-iy0-f180.google.com)
 (209.85.210.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 19:02:49 +0000
Received: by iafj25 with SMTP id j25so1602543iaf.11
        for <user@couchdb.apache.org>; Wed, 29 Aug 2012 12:02:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=h4T2j4ufE3PkQA/VLvipoojpNTHrz78cr4VfDO3Mzuo=;
        b=AJLEqJeG6kj6W2kuawIqEGk1CHpFciVQjlq+j1HgezHjP/8HPmKEuojTEWsvf4ry8B
         7e7l1MHzQHq7WUez4o7L9xKVIw3VTwHujVgRG6yWxCz1T2bRr0zVjHtRR7nmcRem+fP4
         vwVSCBFnFCYZezJqKYSV86lBFIKNMUreC5rx0uE9wnXlW/EbpMaBGr0P8BehBsT6VJtQ
         ketF8dnUY5BY5xyqsQysrtXb34gAXlr4VPhx4OckVuC51gkCCYMbWZFTbDHiynJAQiUJ
         fOJnEq5T2XFFY32QP8GzrUYhU+X2PK91OdPRK5m0DC2qIvlxMz2a3D/CShcPaiGqbexs
         tjyg==
Received: by 10.50.34.131 with SMTP id z3mr2988888igi.45.1346266948419; Wed,
 29 Aug 2012 12:02:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.43.93.69 with HTTP; Wed, 29 Aug 2012 12:01:48 -0700 (PDT)
In-Reply-To: <6AB18F55-7141-4D4F-9CCD-850B67EE1E53@apache.org>
References: 
 <CALOE=ztuooJ4sken5e3QZS1XGDFpGZ42eTLsp99gjP+isa2gLg@mail.gmail.com>
 <6AB18F55-7141-4D4F-9CCD-850B67EE1E53@apache.org>
From: Wordit <wordituk@gmail.com>
Date: Wed, 29 Aug 2012 21:01:48 +0200
Message-ID: 
 <CALOE=zvseq--7c7KnVer2yPGB3v768BrAN5JGuDqEWhG0ph7-Q@mail.gmail.com>
Subject: Re: Possible validation security issue
To: user@couchdb.apache.org
Content-Type: text/plain; charset=UTF-8

The function I used is from the "CouchDB Definitive Guide". It's in
both the security and validation sections.

http://guide.couchdb.org/draft/security.html

"We had an update validation function that allowed us to verify that
the claimed author of a document matched the authenticated username."

Is the guide outdated, is it an error in the guide, or did I
misunderstand what it is to be used for? Or all three perhaps?


That aside, why does the function prevent updating all fields except
the author field when that is the one in the validation function? What
am I missing in couchdb's logic?

Marcus