summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Newson <rnewson@apache.org>2013-02-10 10:52:24 +0000
committerRobert Newson <rnewson@apache.org>2013-02-10 10:52:24 +0000
commit5f507095a0c7996391f6ca37a30fd0c4829b5e45 (patch)
tree1e604d40b8c479ea833a4955ea58717839038bc3
parent3b103eb10b115b4b6a8f0c6e31dc92292c0aeb71 (diff)
downloadcouchdb-5f507095a0c7996391f6ca37a30fd0c4829b5e45.tar.gz
Only allow strings in user doc "roles" array1675-fix-roles-validation
We validate that _security documents only contain strings but we have not done the same for the roles field in user docs. This is a breaking change as users may have been inserting other things (notably, objects) in this field. COUCHDB-1675
-rw-r--r--share/www/script/test/users_db.js10
-rw-r--r--src/couchdb/couch_js_functions.hrl6
2 files changed, 16 insertions, 0 deletions
diff --git a/share/www/script/test/users_db.js b/share/www/script/test/users_db.js
index 44e6c8878..4d6e4de58 100644
--- a/share/www/script/test/users_db.js
+++ b/share/www/script/test/users_db.js
@@ -112,6 +112,16 @@ couchTests.users_db = function(debug) {
}
jchrisUserDoc.roles = [];
+ // "roles" must be an array of strings
+ jchrisUserDoc.roles = [12];
+ try {
+ usersDb.save(jchrisUserDoc);
+ T(false && "should only allow us to save doc when roles is an array of strings");
+ } catch(e) {
+ TEquals(e.reason, "doc.roles can only contain strings");
+ }
+ jchrisUserDoc.roles = [];
+
// "roles" must exist
delete jchrisUserDoc.roles;
try {
diff --git a/src/couchdb/couch_js_functions.hrl b/src/couchdb/couch_js_functions.hrl
index 2ecd85142..774b72457 100644
--- a/src/couchdb/couch_js_functions.hrl
+++ b/src/couchdb/couch_js_functions.hrl
@@ -39,6 +39,12 @@
throw({forbidden: 'doc.roles must be an array'});
}
+ for (var idx = 0; idx < newDoc.roles.length; idx++) {
+ if (typeof newDoc.roles[idx] !== 'string') {
+ throw({forbidden: 'doc.roles can only contain strings'});
+ }
+ }
+
if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) {
throw({
forbidden: 'Doc ID must be of the form org.couchdb.user:name'