feat: add access handling to show/list/update w/tests

Author: janl

src/chttpd/src/chttpd_show.erl

@@ -79,7 +79,7 @@ handle_doc_show(Req, Db, DDoc, ShowName, Doc) ->
 
 handle_doc_show(Req, Db, DDoc, ShowName, Doc, DocId) ->
     %% Will throw an exception if the _show handler is missing
-    couch_log:notice("~n DDoc: '~p'~n", [DDoc]),
+    ok = couch_db:validate_access(Db, DDoc),
     couch_util:get_nested_json_value(DDoc#doc.body, [<<"shows">>, ShowName]),
     % get responder for ddoc/showname
     CurrentEtag = show_etag(Req, Doc, DDoc, []),
@@ -138,6 +138,7 @@ handle_doc_update_req(Req, _Db, _DDoc) ->
 
 send_doc_update_response(Req, Db, DDoc, UpdateName, Doc, DocId) ->
     %% Will throw an exception if the _update handler is missing
+    % ok = couch_db:validate_access(Db, DDoc),
     couch_util:get_nested_json_value(DDoc#doc.body, [<<"updates">>, UpdateName]),
     JsonReq = chttpd_external:json_req_obj(Req, Db, DocId),
     JsonDoc = couch_query_servers:json_doc(Doc),
@@ -250,6 +251,7 @@ handle_view_list_req(Req, _Db, _DDoc) ->
 
 handle_view_list(Req, Db, DDoc, LName, {ViewDesignName, ViewName}, Keys) ->
     %% Will throw an exception if the _list handler is missing
+    ok = couch_db:validate_access(Db, DDoc),
     couch_util:get_nested_json_value(DDoc#doc.body, [<<"lists">>, LName]),
     DbName = couch_db:name(Db),
     {ok, VDoc} = ddoc_cache:open(DbName, <<"_design/", ViewDesignName/binary>>),

src/couch/test/eunit/couchdb_access_tests.erl

@@ -120,6 +120,16 @@ access_test_() ->
         fun should_allow_admin_query_view_from_ddoc_without_access/2,
         fun should_not_allow_user_query_view_from_ddoc_without_access/2,
 
+        % show, list & view
+        fun should_allow_admin_show_view_from_ddoc_without_access/2,
+        fun should_not_allow_user_show_view_from_ddoc_without_access/2,
+        fun should_allow_admin_list_view_from_ddoc_without_access/2,
+        fun should_not_allow_user_list_view_from_ddoc_without_access/2,
+        fun should_allow_admin_update_with_ddoc_without_access/2,
+        fun should_not_allow_user_update_with_ddoc_without_access/2,
+        % once we allow access ddocs, we must not allow updating a doc
+        % that does not belong to us
+
         % replication
         fun should_allow_admin_to_replicate_from_access_to_access/2,
         fun should_allow_admin_to_replicate_from_no_access_to_access/2,
@@ -651,6 +661,116 @@ should_not_allow_user_query_view_from_ddoc_without_access(_PortType, Url) ->
     ),
     ?_assertEqual(403, Code1).
 
+% show, list & updates
+
+-define(SHOW_DDOC, #{
+        views =>  #{
+            foo => #{
+                map => <<"function() {}">>
+            }
+        },
+        shows => #{
+            show1 => <<"function(doc) { return 'hi' }">>
+        }
+    }).
+
+should_allow_admin_show_view_from_ddoc_without_access(_PortType, Url) ->
+    {ok, Code, _, _} = test_request:put(
+        Url ++ "/db/_design/a",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(?SHOW_DDOC)
+    ),
+    ?assertEqual(201, Code),
+    {ok, Code1, _, _} = test_request:get(
+        Url ++ "/db/_design/a/_show/show1",
+        ?ADMIN_REQ_HEADERS
+    ),
+    ?_assertEqual(200, Code1).
+
+should_not_allow_user_show_view_from_ddoc_without_access(_PortType, Url) ->
+    {ok, Code, _, _} = test_request:put(
+        Url ++ "/db/_design/a",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(?SHOW_DDOC)
+    ),
+    ?assertEqual(201, Code),
+    {ok, Code1, _, _} = test_request:get(
+        Url ++ "/db/_design/a/_show/show1",
+        ?USERX_REQ_HEADERS
+    ),
+    ?_assertEqual(403, Code1).
+
+-define(LIST_DDOC, #{
+        views =>  #{
+            foo => #{
+                map => <<"function() {}">>
+            }
+        },
+        lists => #{
+            list1 => <<"function(head, req) { send('hi') }">>
+        }
+    }).
+
+should_allow_admin_list_view_from_ddoc_without_access(_PortType, Url) ->
+    {ok, Code, _, _} = test_request:put(
+        Url ++ "/db/_design/a",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(?LIST_DDOC)
+    ),
+    ?assertEqual(201, Code),
+    {ok, Code1, _, _} = test_request:get(
+        Url ++ "/db/_design/a/_list/list1/foo",
+        ?ADMIN_REQ_HEADERS
+    ),
+    ?_assertEqual(200, Code1).
+
+should_not_allow_user_list_view_from_ddoc_without_access(_PortType, Url) ->
+    {ok, Code, _, _} = test_request:put(
+        Url ++ "/db/_design/a",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(?LIST_DDOC)
+    ),
+    ?assertEqual(201, Code),
+    {ok, Code1, _, _} = test_request:get(
+        Url ++ "/db/_design/a/_list/list1/foo",
+        ?USERX_REQ_HEADERS
+    ),
+    ?_assertEqual(403, Code1).
+
+-define(UPDATE_DDOC, #{
+        updates =>  #{
+            update1 => <<"function(doc) { return [{_id: 'yay', a: 2}, 'done!']; }">>
+        }
+    }).
+
+should_allow_admin_update_with_ddoc_without_access(_PortType, Url) ->
+    {ok, Code, _, _} = test_request:put(
+        Url ++ "/db/_design/a",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(?UPDATE_DDOC)
+    ),
+    ?assertEqual(201, Code),
+    {ok, Code1, _, _} = test_request:post(
+        Url ++ "/db/_design/a/_update/update1",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(#{a => 1})
+    ),
+    ?_assertEqual(201, Code1).
+
+should_not_allow_user_update_with_ddoc_without_access(_PortType, Url) ->
+    {ok, Code, _, _} = test_request:put(
+        Url ++ "/db/_design/a",
+        ?ADMIN_REQ_HEADERS,
+        jiffy:encode(?UPDATE_DDOC)
+    ),
+    ?assertEqual(201, Code),
+    {ok, Code1, _, _} = test_request:post(
+        Url ++ "/db/_design/a/_update/update1",
+        ?USERX_REQ_HEADERS,
+        jiffy:encode(#{a => 1})
+    ),
+    ?_assertEqual(403, Code1).
+
 % replication
 
 should_allow_admin_to_replicate_from_access_to_access(_PortType, Url) ->

src/couch/test/eunit/couchdb_mrview_cors_tests.erl

@@ -18,7 +18,6 @@
 -define(DDOC,
     {[
         {<<"_id">>, <<"_design/foo">>},
-        {<<"_access">>, [<<"user_a">>]},
         {<<"shows">>,
             {[
                 {<<"bar">>, <<"function(doc, req) {return '<h1>wosh</h1>';}">>}
@@ -98,7 +97,7 @@ should_make_shows_request(_, {Host, DbName}) ->
     end).
 
 create_db(backdoor, DbName) ->
-    {ok, Db} = couch_db:create(DbName, [?ADMIN_CTX, {access, true}]),
+    {ok, Db} = couch_db:create(DbName, [?ADMIN_CTX]),
     couch_db:close(Db);
 create_db(clustered, DbName) ->
     {ok, Status, _, _} = test_request:put(db_url(DbName), [?AUTH], ""),