Author: jchris Date: Wed Apr 7 19:51:04 2010 New Revision: 931655 URL: http://svn.apache.org/viewvc?rev=931655&view=rev Log: temp_views should be only available to server and database admins
Modified: couchdb/trunk/share/www/script/test/reader_acl.js couchdb/trunk/src/couchdb/couch_db.erl couchdb/trunk/src/couchdb/couch_httpd_view.erl Modified: couchdb/trunk/share/www/script/test/reader_acl.js URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/test/reader_acl.js?rev=931655&r1=931654&r2=931655&view=diff ============================================================================== --- couchdb/trunk/share/www/script/test/reader_acl.js (original) +++ couchdb/trunk/share/www/script/test/reader_acl.js Wed Apr 7 19:51:04 2010 @@ -76,10 +76,17 @@ couchTests.reader_acl = function(debug) } }).ok); + T(CouchDB.login("jch...@apache.org", "funnybone").ok); + // db admin can read T(secretDb.open("baz").foo == "bar"); + // and run temp views + TEquals(secretDb.query(function(doc) { + emit(null, null) + }).total_rows, 1); + CouchDB.logout(); T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1); @@ -120,6 +127,17 @@ couchTests.reader_acl = function(debug) // readers can query stored views T(secretDb.view("foo/bar").total_rows == 1); + // readers can't do temp views + try { + var results = secretDb.query(function(doc) { + emit(null, null); + }); + T(false && "temp view should be admin only"); + } catch (e) { + T(true && "temp view is admin only"); + } + + CouchDB.logout(); // can't set non string reader names or roles Modified: couchdb/trunk/src/couchdb/couch_db.erl URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_db.erl?rev=931655&r1=931654&r2=931655&view=diff ============================================================================== --- couchdb/trunk/src/couchdb/couch_db.erl (original) +++ couchdb/trunk/src/couchdb/couch_db.erl Wed Apr 7 19:51:04 2010 @@ -26,6 +26,7 @@ -export([set_security/2,get_security/1]). -export([init/1,terminate/2,handle_call/3,handle_cast/2,code_change/3,handle_info/2]). -export([changes_since/5,changes_since/6,read_doc/2,new_revid/1]). +-export([check_is_admin/1, check_is_reader/1]). -include("couch_db.hrl"). Modified: couchdb/trunk/src/couchdb/couch_httpd_view.erl URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd_view.erl?rev=931655&r1=931654&r2=931655&view=diff ============================================================================== --- couchdb/trunk/src/couchdb/couch_httpd_view.erl (original) +++ couchdb/trunk/src/couchdb/couch_httpd_view.erl Wed Apr 7 19:51:04 2010 @@ -77,6 +77,7 @@ handle_view_req(Req, _Db, _DDoc) -> send_method_not_allowed(Req, "GET,POST,HEAD"). handle_temp_view_req(#httpd{method='POST'}=Req, Db) -> + ok = couch_db:check_is_admin(Db), couch_stats_collector:increment({httpd, temporary_view_reads}), {Props} = couch_httpd:json_body_obj(Req), Language = proplists:get_value(<<"language">>, Props, <<"javascript">>),