okay.. seems I hit "send" to quickly... read this section: http://guide.couchdb.org/draft/validation.html#authorship
I think that chunk of code is to ensure that when someone saves a change to a document that they also have to sign it with their own user name. So, changing the user name in the document isn't a way to circumvent the security, it's something that the validator is enforcing so the document always has the author of the last person to edit it. So, not a bug in the document, just a misunderstanding of the intention of the code... -Tim On Wed, Aug 29, 2012 at 4:25 PM, Tim Tisdall <tisd...@gmail.com> wrote: > I think it should probably be looking at the oldDoc like Paul said. > Then it should be preventing all editing unless the current user is > the one in the doc (including changing the author). > > On the top of the couchdb definitive guide page you sent there's a > link that says "report issue"... I'm pretty sure you found a problem > in the code. I also didn't see an existing issue in the issue tracker > about it. > > On Wed, Aug 29, 2012 at 3:01 PM, Wordit <wordi...@gmail.com> wrote: >> The function I used is from the "CouchDB Definitive Guide". It's in >> both the security and validation sections. >> >> http://guide.couchdb.org/draft/security.html >> >> "We had an update validation function that allowed us to verify that >> the claimed author of a document matched the authenticated username." >> >> Is the guide outdated, is it an error in the guide, or did I >> misunderstand what it is to be used for? Or all three perhaps? >> >> >> That aside, why does the function prevent updating all fields except >> the author field when that is the one in the validation function? What >> am I missing in couchdb's logic? >> >> Marcus
