From 419a3545fadc3993da302fe7a35a773ac0ae0cac Mon Sep 17 00:00:00 2001
From: John Christopher Anderson <jchris@apache.org>
Date: Wed, 7 Apr 2010 19:51:04 +0000
Subject: temp_views should be only available to server and database admins

git-svn-id: https://svn.apache.org/repos/asf/couchdb/trunk@931655 13f79535-47bb-0310-9956-ffa450edef68
---
 src/couchdb/couch_db.erl         | 1 +
 src/couchdb/couch_httpd_view.erl | 1 +
 2 files changed, 2 insertions(+)

(limited to 'src/couchdb')

diff --git a/src/couchdb/couch_db.erl b/src/couchdb/couch_db.erl
index 36ca4a42..622e0ee9 100644
--- a/src/couchdb/couch_db.erl
+++ b/src/couchdb/couch_db.erl
@@ -26,6 +26,7 @@
 -export([set_security/2,get_security/1]).
 -export([init/1,terminate/2,handle_call/3,handle_cast/2,code_change/3,handle_info/2]).
 -export([changes_since/5,changes_since/6,read_doc/2,new_revid/1]).
+-export([check_is_admin/1, check_is_reader/1]).
 
 -include("couch_db.hrl").
 
diff --git a/src/couchdb/couch_httpd_view.erl b/src/couchdb/couch_httpd_view.erl
index 5be702ca..273689e7 100644
--- a/src/couchdb/couch_httpd_view.erl
+++ b/src/couchdb/couch_httpd_view.erl
@@ -77,6 +77,7 @@ handle_view_req(Req, _Db, _DDoc) ->
     send_method_not_allowed(Req, "GET,POST,HEAD").
 
 handle_temp_view_req(#httpd{method='POST'}=Req, Db) ->
+    ok = couch_db:check_is_admin(Db),
     couch_stats_collector:increment({httpd, temporary_view_reads}),
     {Props} = couch_httpd:json_body_obj(Req),
     Language = proplists:get_value(<<"language">>, Props, <<"javascript">>),
-- 
cgit v1.2.3