From 9100e321d43690f448895371af83971358793a1a Mon Sep 17 00:00:00 2001 From: Jan Lehnardt Date: Sun, 24 Apr 2016 01:28:32 +0200 Subject: [PATCH] restore 1.x behaviour: user docs in conflict cannot login Adds config option chttpd_auth/allow_conflicted_user_docs to toggle this behaviour. The default is to not allow conflicted user docs to log in successfully. --- src/chttpd_auth_cache.erl | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/src/chttpd_auth_cache.erl b/src/chttpd_auth_cache.erl index 8a64ae7..8f0c576 100644 --- a/src/chttpd_auth_cache.erl +++ b/src/chttpd_auth_cache.erl @@ -48,10 +48,7 @@ get_user_creds(_Req, UserName) when is_binary(UserName) -> couch_util:get_value(<<"roles">>, UserProps)) end end, - case Resp of - nil -> nil; - _ -> {ok, Resp, nil} - end. + maybe_validate_user_creds(Resp). update_user_creds(_Req, UserDoc, _Ctx) -> {_, Ref} = spawn_monitor(fun() -> @@ -163,7 +160,7 @@ changes_callback({error, _}, EndSeq) -> exit({seq, EndSeq}). load_user_from_db(UserName) -> - try fabric:open_doc(dbname(), docid(UserName), [?ADMIN_CTX, ejson_body]) of + try fabric:open_doc(dbname(), docid(UserName), [?ADMIN_CTX, ejson_body, conflicts]) of {ok, Doc} -> {Props} = couch_doc:to_json_obj(Doc, []), Props; @@ -209,3 +206,28 @@ update_doc_ignoring_conflict(DbName, Doc, Options) -> throw:conflict -> ok end. + +maybe_validate_user_creds(nil) -> + nil; +maybe_validate_user_creds(UserCreds) -> + AllowConflictedUserDocs = config:get_boolean("chttpd_auth", "allow_conflicted_user_docs", false), + maybe_validate_user_creds(UserCreds, AllowConflictedUserDocs). + +maybe_validate_user_creds(UserCreds, false) -> + {ok, UserCreds, nil}; +maybe_validate_user_creds(UserCreds, true) -> + validate_user_creds(UserCreds). + +% throws if UserCreds includes a _conflicts member +% returns UserCreds otherwise +validate_user_creds(UserCreds) -> + case couch_util:get_value(<<"_conflicts">>, UserCreds) of + undefined -> + ok; + _ConflictList -> + throw({unauthorized, + <<"User document conflicts must be resolved before the document", + " is used for authentication purposes.">> + }) + end, + {ok, UserCreds, nil}.