sounds good for me
On Sun, Feb 10, 2013 at 11:53 AM, <[email protected]> wrote: > Updated Branches: > refs/heads/1675-fix-roles-validation [created] 5f507095a > > > Only allow strings in user doc "roles" array > > We validate that _security documents only contain strings but we have > not done the same for the roles field in user docs. This is a breaking > change as users may have been inserting other things (notably, > objects) in this field. > > COUCHDB-1675 > > > Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo > Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5f507095 > Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5f507095 > Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5f507095 > > Branch: refs/heads/1675-fix-roles-validation > Commit: 5f507095a0c7996391f6ca37a30fd0c4829b5e45 > Parents: 3b103eb > Author: Robert Newson <[email protected]> > Authored: Sun Feb 10 10:52:24 2013 +0000 > Committer: Robert Newson <[email protected]> > Committed: Sun Feb 10 10:52:24 2013 +0000 > > ---------------------------------------------------------------------- > share/www/script/test/users_db.js | 10 ++++++++++ > src/couchdb/couch_js_functions.hrl | 6 ++++++ > 2 files changed, 16 insertions(+), 0 deletions(-) > ---------------------------------------------------------------------- > > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/share/www/script/test/users_db.js > ---------------------------------------------------------------------- > diff --git a/share/www/script/test/users_db.js > b/share/www/script/test/users_db.js > index 44e6c88..4d6e4de 100644 > --- a/share/www/script/test/users_db.js > +++ b/share/www/script/test/users_db.js > @@ -112,6 +112,16 @@ couchTests.users_db = function(debug) { > } > jchrisUserDoc.roles = []; > > + // "roles" must be an array of strings > + jchrisUserDoc.roles = [12]; > + try { > + usersDb.save(jchrisUserDoc); > + T(false && "should only allow us to save doc when roles is an array of > strings"); > + } catch(e) { > + TEquals(e.reason, "doc.roles can only contain strings"); > + } > + jchrisUserDoc.roles = []; > + > // "roles" must exist > delete jchrisUserDoc.roles; > try { > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/5f507095/src/couchdb/couch_js_functions.hrl > ---------------------------------------------------------------------- > diff --git a/src/couchdb/couch_js_functions.hrl > b/src/couchdb/couch_js_functions.hrl > index 2ecd851..774b724 100644 > --- a/src/couchdb/couch_js_functions.hrl > +++ b/src/couchdb/couch_js_functions.hrl > @@ -39,6 +39,12 @@ > throw({forbidden: 'doc.roles must be an array'}); > } > > + for (var idx = 0; idx < newDoc.roles.length; idx++) { > + if (typeof newDoc.roles[idx] !== 'string') { > + throw({forbidden: 'doc.roles can only contain strings'}); > + } > + } > + > if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) { > throw({ > forbidden: 'Doc ID must be of the form org.couchdb.user:name' >
