svn commit: r931655 - in /couchdb/trunk: share/www/script/test/reader_acl.js src/couchdb/couch_db.erl src/couchdb/couch_httpd_view.erl

[jchris]

Author: jchris
Date: Wed Apr  7 19:51:04 2010
New Revision: 931655

URL: http://svn.apache.org/viewvc?rev=931655&view=rev
Log:
temp_views should be only available to server and database admins

Modified:
    couchdb/trunk/share/www/script/test/reader_acl.js
    couchdb/trunk/src/couchdb/couch_db.erl
    couchdb/trunk/src/couchdb/couch_httpd_view.erl

Modified: couchdb/trunk/share/www/script/test/reader_acl.js
URL: 
http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/test/reader_acl.js?rev=931655&r1=931654&r2=931655&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/test/reader_acl.js (original)
+++ couchdb/trunk/share/www/script/test/reader_acl.js Wed Apr  7 19:51:04 2010
@@ -76,10 +76,17 @@ couchTests.reader_acl = function(debug) 
         }
       }).ok);
 
+
       T(CouchDB.login("jch...@apache.org", "funnybone").ok);
 
+      // db admin can read
       T(secretDb.open("baz").foo == "bar");
 
+      // and run temp views
+      TEquals(secretDb.query(function(doc) {
+        emit(null, null)
+      }).total_rows, 1);
+
       CouchDB.logout();
       T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1);
 
@@ -120,6 +127,17 @@ couchTests.reader_acl = function(debug) 
       // readers can query stored views
       T(secretDb.view("foo/bar").total_rows == 1);
       
+      // readers can't do temp views
+      try {
+        var results = secretDb.query(function(doc) {
+          emit(null, null);
+        });
+        T(false && "temp view should be admin only");
+      } catch (e) {
+        T(true && "temp view is admin only");
+      }
+      
+      
       CouchDB.logout();
 
       // can't set non string reader names or roles

Modified: couchdb/trunk/src/couchdb/couch_db.erl
URL: 
http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_db.erl?rev=931655&r1=931654&r2=931655&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_db.erl (original)
+++ couchdb/trunk/src/couchdb/couch_db.erl Wed Apr  7 19:51:04 2010
@@ -26,6 +26,7 @@
 -export([set_security/2,get_security/1]).
 
-export([init/1,terminate/2,handle_call/3,handle_cast/2,code_change/3,handle_info/2]).
 -export([changes_since/5,changes_since/6,read_doc/2,new_revid/1]).
+-export([check_is_admin/1, check_is_reader/1]).
 
 -include("couch_db.hrl").
 

Modified: couchdb/trunk/src/couchdb/couch_httpd_view.erl
URL: 
http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd_view.erl?rev=931655&r1=931654&r2=931655&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_httpd_view.erl (original)
+++ couchdb/trunk/src/couchdb/couch_httpd_view.erl Wed Apr  7 19:51:04 2010
@@ -77,6 +77,7 @@ handle_view_req(Req, _Db, _DDoc) ->
     send_method_not_allowed(Req, "GET,POST,HEAD").
 
 handle_temp_view_req(#httpd{method='POST'}=Req, Db) ->
+    ok = couch_db:check_is_admin(Db),
     couch_stats_collector:increment({httpd, temporary_view_reads}),
     {Props} = couch_httpd:json_body_obj(Req),
     Language = proplists:get_value(<<"language">>, Props, <<"javascript">>),