diff options
author | Robert Newson <rnewson@apache.org> | 2013-02-10 10:52:24 +0000 |
---|---|---|
committer | Robert Newson <rnewson@apache.org> | 2013-02-10 10:52:24 +0000 |
commit | 5f507095a0c7996391f6ca37a30fd0c4829b5e45 (patch) | |
tree | 1e604d40b8c479ea833a4955ea58717839038bc3 | |
parent | 3b103eb10b115b4b6a8f0c6e31dc92292c0aeb71 (diff) | |
download | couchdb-5f507095a0c7996391f6ca37a30fd0c4829b5e45.tar.gz |
Only allow strings in user doc "roles" array1675-fix-roles-validation
We validate that _security documents only contain strings but we have
not done the same for the roles field in user docs. This is a breaking
change as users may have been inserting other things (notably,
objects) in this field.
COUCHDB-1675
-rw-r--r-- | share/www/script/test/users_db.js | 10 | ||||
-rw-r--r-- | src/couchdb/couch_js_functions.hrl | 6 |
2 files changed, 16 insertions, 0 deletions
diff --git a/share/www/script/test/users_db.js b/share/www/script/test/users_db.js index 44e6c8878..4d6e4de58 100644 --- a/share/www/script/test/users_db.js +++ b/share/www/script/test/users_db.js @@ -112,6 +112,16 @@ couchTests.users_db = function(debug) { } jchrisUserDoc.roles = []; + // "roles" must be an array of strings + jchrisUserDoc.roles = [12]; + try { + usersDb.save(jchrisUserDoc); + T(false && "should only allow us to save doc when roles is an array of strings"); + } catch(e) { + TEquals(e.reason, "doc.roles can only contain strings"); + } + jchrisUserDoc.roles = []; + // "roles" must exist delete jchrisUserDoc.roles; try { diff --git a/src/couchdb/couch_js_functions.hrl b/src/couchdb/couch_js_functions.hrl index 2ecd85142..774b72457 100644 --- a/src/couchdb/couch_js_functions.hrl +++ b/src/couchdb/couch_js_functions.hrl @@ -39,6 +39,12 @@ throw({forbidden: 'doc.roles must be an array'}); } + for (var idx = 0; idx < newDoc.roles.length; idx++) { + if (typeof newDoc.roles[idx] !== 'string') { + throw({forbidden: 'doc.roles can only contain strings'}); + } + } + if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) { throw({ forbidden: 'Doc ID must be of the form org.couchdb.user:name' |