rnewson commented on code in PR #4139:
URL: https://github.com/apache/couchdb/pull/4139#discussion_r1020210925
##########
src/couch/src/couch_db.erl:
##########
@@ -770,6 +792,75 @@ security_error_type(#user_ctx{name = null}) ->
security_error_type(#user_ctx{name = _}) ->
forbidden.
+is_per_user_ddoc(#doc{access=[]}) -> false;
+is_per_user_ddoc(#doc{access=[<<"_users">>]}) -> false;
+is_per_user_ddoc(_) -> true.
+
+validate_access(Db, Doc) ->
+ validate_access(Db, Doc, []).
+
+validate_access(Db, Doc, Options) ->
+ validate_access1(has_access_enabled(Db), Db, Doc, Options).
+
+validate_access1(false, _Db, _Doc, _Options) -> ok;
+validate_access1(true, Db, #doc{meta=Meta}=Doc, Options) ->
+ case proplists:get_value(conflicts, Meta) of
+ undefined -> % no conflicts
+ case is_read_from_ddoc_cache(Options) andalso
is_per_user_ddoc(Doc) of
+ true -> throw({not_found, missing});
+ _False -> validate_access2(Db, Doc)
+ end;
+ _Else -> % only admins can read conflicted docs in _access dbs
+ % TODO: expand: if leaves agree on _access, then a user should
be able
+ % to proceed normally, only if they disagree should this
become admin-only
+ case is_admin(Db) of
+ true -> ok;
+ _Else2 -> throw({forbidden, <<"document is in conflict">>})
Review Comment:
I think we need to define what a conflicted _access document means. There
are a few options;
1) the winning revision is the only one we considered. (side-effect is you
lose access if a winner appears via replication / split-brain, as you noted)
2) we block all non-admin access until conflicts are resolved.
3) access is the combination of all the conflicts.
There's good and bad in each of those. Of the three listed, 1 seems least
surprising / most reasonable.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
