diff options
author | Jan Lehnardt <jan@apache.org> | 2012-02-16 16:36:42 +0100 |
---|---|---|
committer | Jan Lehnardt <jan@apache.org> | 2012-02-21 20:20:05 +0100 |
commit | 6dc942496a9c0f2c829ba23c193d3c3668b7068e (patch) | |
tree | f43e49c0b92a4af6de7b22e0b9a99693744cb183 | |
parent | 64c94168e234c6a3178f2563263e75965f1469e0 (diff) | |
download | couchdb-6dc942496a9c0f2c829ba23c193d3c3668b7068e.tar.gz |
make /_users/_changes admin-only
-rw-r--r-- | share/www/script/test/users_db_security.js | 24 | ||||
-rw-r--r-- | src/couchdb/couch_httpd_db.erl | 1 |
2 files changed, 25 insertions, 0 deletions
diff --git a/share/www/script/test/users_db_security.js b/share/www/script/test/users_db_security.js index 9735d6b07..75a4dfa6b 100644 --- a/share/www/script/test/users_db_security.js +++ b/share/www/script/test/users_db_security.js @@ -58,6 +58,18 @@ couchTests.users_db_security = function(debug) { } }; + var changes_as = function(db, username) + { + loginUser(username); + try { + return db.changes(); + } catch(ex) { + return ex; + } finally { + CouchDB.logout(); + } + }; + var testFun = function() { usersDb.deleteDb(); @@ -96,10 +108,22 @@ couchTests.users_db_security = function(debug) { var res = usersDb.open("org.couchdb.user:jchris"); TEquals(null, res, "anonymous user doc read should be not found"); + // anonymous should not be able to read /_users/_changes + try { + var ch = usersDb.changes(); + T(false, "anonymous can read _changes"); + } catch(e) { + TEquals("unauthorized", e.error, "anoymous can't read _changes"); + } + // user should be able to read their own document var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris"); TEquals("org.couchdb.user:jchris", jchrisDoc._id); + // user should not be able to read /_users/_changes + var changes = changes_as(usersDb, "jchris"); + TEquals("unauthorized", changes.error, "user can't read _changes"); + // new 'password' fields should trigger new hashing routine jchrisDoc.password = "couch"; diff --git a/src/couchdb/couch_httpd_db.erl b/src/couchdb/couch_httpd_db.erl index f66964343..bba9b7c88 100644 --- a/src/couchdb/couch_httpd_db.erl +++ b/src/couchdb/couch_httpd_db.erl @@ -64,6 +64,7 @@ handle_changes_req(#httpd{path_parts=[_,<<"_changes">>]}=Req, _Db) -> send_method_not_allowed(Req, "GET,HEAD,POST"). handle_changes_req1(Req, Db) -> + ok = couch_db:check_is_admin(Db), MakeCallback = fun(Resp) -> fun({change, Change, _}, "continuous") -> send_chunk(Resp, [?JSON_ENCODE(Change) | "\n"]); |