I'm really struggling to believe that many people would read this code;
function (newDoc, oldDoc, userCtx) {
if (newDoc.author) {
if(newDoc.author != userCtx.name) {
throw({"forbidden": "You may only update documents with author " +
userCtx.name});
}
}
}
and think it prevented
^_^ I'm fairly new to couchdb, too. I only figured that out because
I saw on the page you linked to that it referred to a previous chapter
and I went to it to see if there was any clarification or if the code
was the same. It probably should be tweaked a bit so it's a little
more clear what the
On Wed, Aug 29, 2012 at 10:32 PM, Tim Tisdall wrote:
>
> I think that chunk of code is to ensure that when someone saves a
> change to a document that they also have to sign it with their own
> user name.
That would certainly make sense for a wiki application, but I think
it's unclear because "au
okay.. seems I hit "send" to quickly... read this section:
http://guide.couchdb.org/draft/validation.html#authorship
I think that chunk of code is to ensure that when someone saves a
change to a document that they also have to sign it with their own
user name. So, changing the user name in the d
I think it should probably be looking at the oldDoc like Paul said.
Then it should be preventing all editing unless the current user is
the one in the doc (including changing the author).
On the top of the couchdb definitive guide page you sent there's a
link that says "report issue"... I'm prett
The function I used is from the "CouchDB Definitive Guide". It's in
both the security and validation sections.
http://guide.couchdb.org/draft/security.html
"We had an update validation function that allowed us to verify that
the claimed author of a document matched the authenticated username."
I
Firstly, security issues (even suspected ones) should not be posted to a public
mailing list (use secur...@couchdb.apache.org)
Secondly, you ask "Shouldn't couchdb prevent the author field from being
updated?"
The answer, of course is, "Yes, if a validate_doc_update function prevents it".
Your
Check against oldDoc instead of newDoc?
On Wed, Aug 29, 2012 at 1:28 PM, Wordit wrote:
> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
>
> funct
