On Mon, Feb 8, 2010 at 8:19 AM, Brian Candler <[email protected]> wrote: > Sorry to drag on about this, but I have another problem with the readeracl > branch. > > As far as I can tell, it's impossible to test in validate_doc_update whether > the user is listed in the database-level _admins resource.
This is a good example of a use case for putting all this stuff in a single object. Sorry I haven't had a chance to respond to your earlier message yet, superbowl, etc. etc. Chris > Example: > > $ curl http://brianadmin:[email protected]:5984/briantest/_admins > {"names":["brianadmin"],"roles":[]} > > $ curl -X PUT > -d'{"validate_doc_update":"function(newDoc,oldDoc,userCtx,secObj) {if > (userCtx.roles.indexOf(\"_admin\") == -1) {throw {unauthorized: \"You are not > an admin\"+toJSON(userCtx)};}}"}' > 'http://brianadmin:[email protected]:5984/briantest/_design/testadmin' > {"ok":true,"id":"_design/testadmin","rev":"1-3a33960e65f156773478f357aaf67471"} > > $ curl -X PUT -d "{}" > http://brianadmin:[email protected]:5984/briantest/foo > {"error":"unauthorized","reason":"You are not an > admin{\"db\":\"briantest\",\"name\":\"brianadmin\",\"roles\":[]}"} > > That is, the "_admin" role is only visible here if you are a server-wide > admin, not if you are a database-level admin. > > As a result, if you want database-level admins to have any special > privileges with regards to updating documents, you have to list them again > in the _security document. > > I don't think this is clear in the security_validation.js test, because it > uses X-Couch-Test-Auth, which gives _admin role when not logged in as any > particular user. So > > T(db.setDbProperty("_security", {admin_override : true}).ok); > T(db.save(doc).ok); > > only works because the _admin role is set here, not because the user is in > _admins. > > Regards, > > Brian. > -- Chris Anderson http://jchrisa.net http://couch.io
