Github user kxepal commented on a diff in the pull request:
https://github.com/apache/couchdb-couch-mrview/pull/13#discussion_r22392328
--- Diff: src/couch_mrview_http.erl ---
@@ -159,41 +177,59 @@ handle_cleanup_req(Req, _Db) ->
all_docs_req(Req, Db, Keys) ->
- case couch_db:is_system_db(Db) of
+ all_docs_req(Req, Db, Keys, undefined).
+
+all_docs_req(Req, Db, Keys, NS) ->
+ case is_restricted(Db, NS) of
true ->
case (catch couch_db:check_is_admin(Db)) of
ok ->
- do_all_docs_req(Req, Db, Keys);
+ do_all_docs_req(Req, Db, Keys, NS);
+ _ when NS == <<"_local">> ->
+ throw({forbidden, <<"Only admins can access _local_docs">>});
_ ->
- DbName = ?b2l(Db#db.name),
- case config:get("couch_httpd_auth",
- "authentication_db",
- "_users") of
- DbName ->
- UsersDbPublic = config:get("couch_httpd_auth",
"users_db_public", "false"),
- PublicFields = config:get("couch_httpd_auth",
"public_fields"),
- case {UsersDbPublic, PublicFields} of
- {"true", PublicFields} when PublicFields =/= undefined ->
- do_all_docs_req(Req, Db, Keys);
- {_, _} ->
+ case is_public_fields_configured(Db) of
+ true ->
+ do_all_docs_req(Req, Db, Keys, NS);
+ false ->
throw({forbidden, <<"Only admins can access _all_docs",
" of system databases.">>})
- end;
- _ ->
- throw({forbidden, <<"Only admins can access _all_docs",
- " of system databases.">>})
end
end;
false ->
- do_all_docs_req(Req, Db, Keys)
+ do_all_docs_req(Req, Db, Keys, NS)
end.
-do_all_docs_req(Req, Db, Keys) ->
+is_restricted(_Db, <<"_local">>) ->
+ true;
+is_restricted(Db, _) ->
+ couch_db:is_system_db(Db).
+
+is_public_fields_configured(Db) ->
+ DbName = ?b2l(Db#db.name),
+ case config:get("couch_httpd_auth",
+ "authentication_db",
--- End diff --
Indention ):
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
