janl commented on code in PR #4139:
URL: https://github.com/apache/couchdb/pull/4139#discussion_r950671648
##########
src/couch/src/couch_db.erl:
##########
@@ -770,6 +792,75 @@ security_error_type(#user_ctx{name = null}) ->
security_error_type(#user_ctx{name = _}) ->
forbidden.
+is_per_user_ddoc(#doc{access=[]}) -> false;
+is_per_user_ddoc(#doc{access=[<<"_users">>]}) -> false;
+is_per_user_ddoc(_) -> true.
+
+validate_access(Db, Doc) ->
+ validate_access(Db, Doc, []).
+
+validate_access(Db, Doc, Options) ->
+ validate_access1(has_access_enabled(Db), Db, Doc, Options).
+
+validate_access1(false, _Db, _Doc, _Options) -> ok;
+validate_access1(true, Db, #doc{meta=Meta}=Doc, Options) ->
+ case proplists:get_value(conflicts, Meta) of
+ undefined -> % no conflicts
+ case is_read_from_ddoc_cache(Options) andalso
is_per_user_ddoc(Doc) of
+ true -> throw({not_found, missing});
+ _False -> validate_access2(Db, Doc)
+ end;
+ _Else -> % only admins can read conflicted docs in _access dbs
+ % TODO: expand: if leaves agree on _access, then a user should
be able
+ % to proceed normally, only if they disagree should this
become admin-only
+ case is_admin(Db) of
+ true -> ok;
+ _Else2 -> throw({forbidden, <<"document is in conflict">>})
Review Comment:
ah yes, I think this was meant as a safeguard for a cluster in split-brain,
where two users create the same doc _id with an _access field set to them. On
cluster reconciliation, the doc will be in conflict and have one of the users
as the winning rev. This could mean that someone write a doc into the db and it
becomes unaccessible later if retrieved only with the _id. We could make it
that a retrieval with _id/_rev could be allowed for the other user, but it
wouldn’t help with _changes and _all_docs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
