This is an automated email from the ASF dual-hosted git repository. ronny pushed a commit to branch fix-3960 in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit be8845c629437e65c67d372aae1fa4116952c0c9 Author: Ronny Berndt <[email protected]> AuthorDate: Sat Jun 18 10:16:38 2022 +0200 Fix #3960 If the given UserRoles/Roles/Names aren't lists, ordersets:from_list/1 or listss:member will fail with an error. Prevent this with Erlang Pattern Matching or the Robot Butt Rule [1]. Thanks @nickva [1] https://medium.com/erlang-battleground/ode-to-the-robot-butt-bbd69e69beb2 --- src/couch/src/couch_db.erl | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/couch/src/couch_db.erl b/src/couch/src/couch_db.erl index 70ba1c2b9..cc3a0e377 100644 --- a/src/couch/src/couch_db.erl +++ b/src/couch/src/couch_db.erl @@ -733,18 +733,16 @@ is_authorized(#user_ctx{name = UserName, roles = UserRoles}, Security) -> false -> check_security(names, UserName, Names) end. -check_security(roles, [], _) -> - false; -check_security(roles, UserRoles, Roles) -> +check_security(roles, [_|_] = UserRoles, [_|_] = Roles) -> UserRolesSet = ordsets:from_list(UserRoles), RolesSet = ordsets:from_list(Roles), not ordsets:is_disjoint(UserRolesSet, RolesSet); -check_security(names, _, []) -> - false; -check_security(names, null, _) -> +check_security(roles, _, _) -> false; -check_security(names, UserName, Names) -> - lists:member(UserName, Names). +check_security(names, UserName, [_|_] = Names) -> + lists:member(UserName, Names); +check_security(names, _, _) -> + false. throw_security_error(#user_ctx{name = null} = UserCtx) -> Reason = <<"You are not authorized to access this db.">>,
