Hi Jan,
Am 19.11.2010 23:55, schrieb Jan Lehnardt:
On 19 Nov 2010, at 23:48, Stefan Klein wrote:
> Am 19.11.2010 13:54, schrieb Jan Lehnardt:
>> On 19 Nov 2010, at 11:55, Stefan Klein wrote:
>>> Hi List,
>>>
>>> [ ... snip ...] Now i'm pretty unsure if this is an evil hack
>>> or even a bug in couchdb which get's fixed or if it's just a
>>> relay cool feature.
>> Looks like it is working as advertised :) — Beware though that if
>> you allow anyone to write to your database, people could run some
>> arbitrary JavaScript code. Worst that could happen though is
>> making infinite loops that CouchDB kills after 5 seconds and then
>> make many of them concurrently, i.e. a classical DoS situation.
>>
>> If it's only you that talks to the database, this looks like a
>> neat hack :)
>>
>> Cheers Jan
> Which can be handled by the validate function, only users with a
> specific role may create/update documents of a special type. Thank
> you!
Actually, the validation function runs after the update function.
The critical document is the document with the ID which gets PUTed on,
not the newly submitted document.
For those configuration documents (_id:www.youtube.com in my example)
containing the evaled code I'm going to restrict create/update access to
trusted users.
regards,
Stefan
