diff options
author | Nick Vatamaniuc <vatamane@apache.org> | 2020-04-06 17:48:59 -0400 |
---|---|---|
committer | Nick Vatamaniuc <nickva@users.noreply.github.com> | 2020-04-07 12:18:29 -0400 |
commit | e71a77d5c8bf9394a4130d98e59e8de2795ba4b3 (patch) | |
tree | 5f1556152572831473fe8d1c94d92dd6ce7d6064 | |
parent | 1be2363b4dae31ab67d6bafd3f5a2620f5d784eb (diff) | |
download | couchdb-e71a77d5c8bf9394a4130d98e59e8de2795ba4b3.tar.gz |
Do not allow editing _security in _user database
It should only be allowed if explicitly configured. Previously we did not
propertly match on the database name and effectively always allowed it.
-rw-r--r-- | src/chttpd/src/chttpd_db.erl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/chttpd/src/chttpd_db.erl b/src/chttpd/src/chttpd_db.erl index 16cfbd0df..730cf3ef5 100644 --- a/src/chttpd/src/chttpd_db.erl +++ b/src/chttpd/src/chttpd_db.erl @@ -1963,7 +1963,7 @@ extract_header_rev(Req, ExplicitRev) -> end. validate_security_can_be_edited(DbName) -> - UserDbName = config:get("chttpd_auth", "authentication_db", "_users"), + UserDbName = ?l2b(config:get("chttpd_auth", "authentication_db", "_users")), CanEditUserSecurityObject = config:get("couchdb","users_db_security_editable","false"), case {DbName,CanEditUserSecurityObject} of {UserDbName,"false"} -> |