validate_doc_read shouldn't prohibit deletions #12

fernandogmar opened this Issue Jul 17, 2012 · 1 comment

2 participants


What do you think?

when validate_doc_read is active, for example "just admin users can read the docs" (close to "dropbox: true" ;) )


function(doc, userCtx) {
var isAdmin = (userCtx.roles.indexOf('_admin') >= 0);
if (!isAdmin) {
throw({unauthorized: + ' cannnot read ' + doc._id});

A member of that dabase can POST & PUT a document, but he can't DELETE it :(. Why validate_doc_read validates deletions instead of validate_doc_update? I mean an user should be able to delete a document in the database if validate_doc_update doesn't prohibit to him.

something like this:


function(newDoc, oldDoc, userCtx) {
var isDeletingWithoutPermission = ( newDoc._deleted && ( oldDoc.user != ) );
if (isDeletingWithoutPermission) {
throw({unauthorized: + ' cannnot delete ' + doc._id});

but at this moment, when the user tryes this:
curl -XDELETE http://userX:userX@localhost:5984/testdb/0e4a414783ee3a743a68848a03001f63?rev=1-1be5a5c6039dc44fff8d7a6920129496

he gets:
{"error":"unauthorized","reason":"userX cannnot read 0e4a414783ee3a743a68848a03001f63"}

instead of:

(when user and author are equal each other)

(when user and author are different from each other)
{"error":"unauthorized","reason":"userX cannnot delete 0e4a414783ee3a743a68848a03001f63"}

I hope this has sense

@benoitc benoitc added a commit to rcouch/couch_core that referenced this issue Jul 29, 2012
@benoitc benoitc skip read validation on update. fix rcouch/rcouch#12
read ivalidation was already done when fetching the doc or the revision before.
@benoitc benoitc closed this Jul 29, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment