[couchdb] 04/36: feat(access): add new _users role for all authenticated users

Sat, 08 Jul 2023 01:12:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch rebase/access-2023
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 9e785cf10a521fabcc781d31497486542db6c3b7
Author: Jan Lehnardt <[email protected]>
AuthorDate: Fri Jun 24 17:13:25 2022 +0200

    feat(access): add new _users role for all authenticated users
---
 src/couch/src/couch_httpd_auth.erl | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/couch/src/couch_httpd_auth.erl 
b/src/couch/src/couch_httpd_auth.erl
index 652fb3996..4304ed9d1 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -99,6 +99,13 @@ basic_name_pw(Req) ->
             nil
     end.
 
+extract_roles(UserProps) ->
+    Roles = couch_util:get_value(<<"roles">>, UserProps, []),
+    case lists:member(<<"_admin">>, Roles) of
+        true -> Roles;
+        _ -> Roles ++ [<<"_users">>]
+    end.
+
 default_authentication_handler(Req) ->
     default_authentication_handler(Req, couch_auth_cache).
 
@@ -117,7 +124,7 @@ default_authentication_handler(Req, AuthModule) ->
                             Req#httpd{
                                 user_ctx = #user_ctx{
                                     name = UserName,
-                                    roles = couch_util:get_value(<<"roles">>, 
UserProps, [])
+                                    roles = extract_roles(UserProps)
                                 }
                             };
                         false ->
@@ -189,7 +196,7 @@ proxy_auth_user(Req) ->
             Roles =
                 case header_value(Req, XHeaderRoles) of
                     undefined -> [];
-                    Else -> re:split(Else, "\\s*,\\s*", [trim, {return, 
binary}])
+                    Else -> [<<"_users">> | re:split(Else, "\\s*,\\s*", [trim, 
{return, binary}])]
                 end,
             case
                 chttpd_util:get_chttpd_auth_config_boolean(
@@ -380,9 +387,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} 
= Req, AuthModule) ->
                                             Req#httpd{
                                                 user_ctx = #user_ctx{
                                                     name = ?l2b(User),
-                                                    roles = 
couch_util:get_value(
-                                                        <<"roles">>, 
UserProps, []
-                                                    )
+                                                    roles = 
extract_roles(UserProps)
                                                 },
                                                 auth = {FullSecret, TimeLeft < 
Timeout * 0.9}
                                             };
@@ -510,7 +515,7 @@ handle_session_req(#httpd{method = 'POST', mochi_req = 
MochiReq} = Req, AuthModu
                 {[
                     {ok, true},
                     {name, UserName},
-                    {roles, couch_util:get_value(<<"roles">>, UserProps, [])}
+                    {roles, extract_roles(UserProps)}
                 ]}
             );
         false ->

Reply via email to