janl commented on code in PR #4139:
URL: https://github.com/apache/couchdb/pull/4139#discussion_r939533237
##########
src/chttpd/src/chttpd_db.erl:
##########
@@ -1037,16 +1037,18 @@ view_cb(Msg, Acc) ->
couch_mrview_http:view_cb(Msg, Acc).
db_doc_req(#httpd{method = 'DELETE'} = Req, Db, DocId) ->
- % check for the existence of the doc to handle the 404 case.
- couch_doc_open(Db, DocId, nil, []),
- case chttpd:qs_value(Req, "rev") of
+ % fetch the old doc revision, so we can compare access control
+ % in send_update_doc() later.
+ Doc0 = couch_doc_open(Db, DocId, nil, [{user_ctx, Req#httpd.user_ctx}]),
Review Comment:
Original Comment:
> If this fails (due to access restrictions) how does the 403 bubble back up
to the user? I followed chttpd_db:couch_doc_open/4 to fabric:open_doc/3 to
fabric_doc_open:go/3 through to couch_db:get_doc_info/2 but I couldn't work out
where the access restriction is enforced.
>
> I presume we end up at some point in couch_db:validate_access or
check_access which throws a {forbidden, "something"} but I couldn't see how
this translates into a 403.
https://github.com/apache/couchdb/pull/3038#discussion_r475011886
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
