From ee8a76e1cad33831448dbf12a394c51aa65230f4 Mon Sep 17 00:00:00 2001 From: John Christopher Anderson Date: Mon, 1 Feb 2010 22:51:15 +0000 Subject: Database-level security. This patch builds on the DB-admins feature to store lists of database admin and reader names and roles, as well as a security object which can be used for configuration in validation functions. git-svn-id: https://svn.apache.org/repos/asf/couchdb/trunk@905436 13f79535-47bb-0310-9956-ffa450edef68 --- share/www/script/test/security_validation.js | 38 +++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 4 deletions(-) (limited to 'share/www/script/test/security_validation.js') diff --git a/share/www/script/test/security_validation.js b/share/www/script/test/security_validation.js index 43968426..9ecb9ba0 100644 --- a/share/www/script/test/security_validation.js +++ b/share/www/script/test/security_validation.js @@ -69,7 +69,13 @@ couchTests.security_validation = function(debug) { var designDoc = { _id:"_design/test", language: "javascript", - validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx) { + validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx, secObj) { + if (secObj.admin_override) { + if (userCtx.roles.indexOf('_admin') != -1) { + // user is admin, they can do anything + return true; + } + } // docs should have an author field. if (!newDoc._deleted && !newDoc.author) { throw {forbidden: @@ -99,11 +105,11 @@ couchTests.security_validation = function(debug) { } // set user as the admin - T(db.setDbProperty("_admins", ["Damien Katz"]).ok); + T(db.setDbProperty("_admins", {names : ["Damien Katz"]}).ok); T(userDb.save(designDoc).ok); - // test the _whoami endpoint + // test the _session API var resp = userDb.request("GET", "/_session"); var user = JSON.parse(resp.responseText).userCtx; T(user.name == "Damien Katz"); @@ -158,6 +164,31 @@ couchTests.security_validation = function(debug) { T(e.error == "unauthorized"); T(userDb.last_req.status == 401); } + + // admin must save with author field unless admin override + var resp = db.request("GET", "/_session"); + var user = JSON.parse(resp.responseText).userCtx; + T(user.name == null); + // test that we are admin + TEquals(user.roles, ["_admin"]); + + // can't save the doc even though we are admin + var doc = db.open("testdoc"); + doc.foo=3; + try { + db.save(doc); + T(false && "Can't get here. Should have thrown an error 3"); + } catch (e) { + T(e.error == "unauthorized"); + T(db.last_req.status == 401); + } + + // now turn on admin override + T(db.setDbProperty("_security", {admin_override : true}).ok); + T(db.save(doc).ok); + + // go back to normal + T(db.setDbProperty("_security", {admin_override : false}).ok); // Now delete document T(user2Db.deleteDoc(doc).ok); @@ -188,7 +219,6 @@ couchTests.security_validation = function(debug) { T(db.open("booboo") == null); T(db.open("foofoo") == null); - // Now test replication var AuthHeaders = {"WWW-Authenticate": "X-Couch-Test-Auth Christopher Lenz:dog food"}; var host = CouchDB.host; -- cgit v1.2.3