janl commented on code in PR #4139:
URL: https://github.com/apache/couchdb/pull/4139#discussion_r939533237
##########
src/chttpd/src/chttpd_db.erl:
##########
@@ -1037,16 +1037,18 @@ view_cb(Msg, Acc) ->
couch_mrview_http:view_cb(Msg, Acc).
db_doc_req(#httpd{method = 'DELETE'} = Req, Db, DocId) ->
- % check for the existence of the doc to handle the 404 case.
- couch_doc_open(Db, DocId, nil, []),
- case chttpd:qs_value(Req, "rev") of
+ % fetch the old doc revision, so we can compare access control
+ % in send_update_doc() later.
+ Doc0 = couch_doc_open(Db, DocId, nil, [{user_ctx, Req#httpd.user_ctx}]),
Review Comment:
Original Comment:
> If this fails (due to access restrictions) how does the 403 bubble back up
to the user? I followed `chttpd_db:couch_doc_open/4` to `fabric:open_doc/3` to
`fabric_doc_open:go/3` through to `couch_db:get_doc_info/2` but I couldn't work
out where the access restriction is enforced.
>
> I presume we end up at some point in `couch_db:validate_access` or
`check_access` which throws a `{forbidden, "something"}` but I couldn't see how
this translates into a 403.
https://github.com/apache/couchdb/pull/3038#discussion_r475011886
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
