New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BugzID: 12534 respect reader lists. #2

Merged
merged 1 commit into from Aug 24, 2011

Conversation

Projects
None yet
2 participants
@rnewson
Member

rnewson commented Aug 23, 2011

No description provided.

@kocolosk

View changes

Show outdated Hide outdated src/chttpd_db.erl
@@ -194,6 +194,8 @@ delete_db_req(#httpd{}=Req, DbName) ->
end.
do_db_req(#httpd{path_parts=[DbName|_], user_ctx=Ctx}=Req, Fun) ->
SecObj = fabric:get_security(DbName),
check_is_reader(Ctx, SecObj),

This comment has been minimized.

@kocolosk

kocolosk Aug 24, 2011

Member

Perhaps it's good that we're explicit here, but I think the call to check_is_reader is redundant. get_security/1 opens the database shard using couch_db:open/2 and thus triggers a reader list check.

@kocolosk

kocolosk Aug 24, 2011

Member

Perhaps it's good that we're explicit here, but I think the call to check_is_reader is redundant. get_security/1 opens the database shard using couch_db:open/2 and thus triggers a reader list check.

This comment has been minimized.

@rnewson

rnewson Aug 24, 2011

Member

fabric:get_security/1 does call check_is_reader but does so as admin, so we need to explicit check.

@rnewson

rnewson Aug 24, 2011

Member

fabric:get_security/1 does call check_is_reader but does so as admin, so we need to explicit check.

This comment has been minimized.

@kocolosk

kocolosk Aug 24, 2011

Member

Yes, quite right. fabric:get_security/2 with the user's context should do the check, though.

@kocolosk

kocolosk Aug 24, 2011

Member

Yes, quite right. fabric:get_security/2 with the user's context should do the check, though.

@kocolosk

This comment has been minimized.

Show comment
Hide comment
@kocolosk

kocolosk Aug 24, 2011

Member

Looks good @rnewson. Can you squash the commits and adhere to the (just posted) commit message guidelines?

Member

kocolosk commented Aug 24, 2011

Looks good @rnewson. Can you squash the commits and adhere to the (just posted) commit message guidelines?

Robert Newson
Respect reader lists
Check that the user has read access to the database before returning
success. Calling fabric:get_security/2 with the users security context
triggers a call to check_is_reader which constitutes authorization.

BugzID: 12534

@kocolosk kocolosk merged commit ea8076c into master Aug 24, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment