From a660f60b9644836b0dbdf54cd04b15f4d4654d0f Mon Sep 17 00:00:00 2001
From: Victor Shyba <victor.shyba@gmail.com>
Date: Fri, 18 Sep 2015 17:30:19 -0300
Subject: [feat] ensure security document

Beyond ensuring ddocs, it is also necessary to ensure _security doc
presence while creating a database.
This document will tell couchdb to grant access to 'soledad' user as a
member role and no one as admin.
---
 common/src/leap/soledad/common/couch.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/common/src/leap/soledad/common/couch.py b/common/src/leap/soledad/common/couch.py
index 36f6239e..d9ed5026 100644
--- a/common/src/leap/soledad/common/couch.py
+++ b/common/src/leap/soledad/common/couch.py
@@ -435,6 +435,7 @@ class CouchDatabase(CommonBackend):
             self._set_replica_uid(replica_uid)
         if ensure_ddocs:
             self.ensure_ddocs_on_db()
+            self.ensure_security()
         self._cache = None
 
     @property
@@ -467,6 +468,16 @@ class CouchDatabase(CommonBackend):
                         getattr(ddocs, ddoc_name)))
                 self._database.save(ddoc)
 
+    def ensure_security(self):
+        """
+        Make sure that only soledad user is able to access this database as
+        a member.
+        """
+        security = self._database.security
+        security['members'] = {'names': ['soledad'], 'roles': []}
+        security['admins'] = {'names': [], 'roles': []}
+        self._database.security = security
+
     def get_sync_target(self):
         """
         Return a SyncTarget object, for another u1db to synchronize with.
-- 
cgit v1.2.3