Skip to content

Instantly share code, notes, and snippets.

@lambder

lambder/validate_doc_update.js

Created November 5, 2010 14:05
Show Gist options
  • Save lambder/664203 to your computer and use it in GitHub Desktop.
Save lambder/664203 to your computer and use it in GitHub Desktop.
Download ZIP
validate_doc_update
Raw
validate_doc_update.js
function(newDoc, oldDoc, userCtx) {
if (newDoc._deleted === true) {
// allow deletes by 'cluster admins', 'system admins' and matching users
// without checking the other fields
if ((userCtx.roles.indexOf('_admin') !== -1) || (userCtx.roles.indexOf('system_admin') !== -1) || (userCtx.name == oldDoc.name)) {
return;
} else {
throw({forbidden: 'Only admins may delete other user docs. **************'});
}
}
if ((oldDoc && oldDoc.type !== 'user') || newDoc.type !== 'user') {
throw({forbidden : 'doc.type must be user'});
} // we only allow user docs for now
if (!newDoc.name) {
throw({forbidden: 'doc.name is required'});
}
if (!(newDoc.roles && (typeof newDoc.roles.length !== 'undefined'))) {
throw({forbidden: 'doc.roles must be an array'});
}
if (newDoc._id !== ('org.couchdb.user:' + newDoc.name)) {
throw({
forbidden: 'Doc ID must be of the form org.couchdb.user:name'
});
}
if (oldDoc) { // validate all updates
if (oldDoc.name !== newDoc.name) {
throw({forbidden: 'Usernames can not be changed.'});
}
}
if (newDoc.password_sha && !newDoc.salt) {
throw({
forbidden: 'Users with password_sha must have a salt.' +
'See /_utils/script/couch.js for example code.'
});
}
if (userCtx.roles.indexOf('_admin') === -1 && userCtx.roles.indexOf('system_admin') === -1 ) {
if (oldDoc) { // validate non-admin updates
if (userCtx.name !== newDoc.name) {
throw({
forbidden: 'You may only update your own user document.'
});
}
// validate role updates
var oldRoles = oldDoc.roles.sort();
var newRoles = newDoc.roles.sort();
if (oldRoles.length !== newRoles.length) {
throw({forbidden: 'Only _admin may edit roles'});
}
for (var i = 0; i < oldRoles.length; i++) {
if (oldRoles[i] !== newRoles[i]) {
throw({forbidden: 'Only _admin may edit roles'});
}
}
} else if (newDoc.roles.length > 0) {
throw({forbidden: 'Only _admin may set roles'});
}
}
// no system roles in users db
for (var i = 0; i < newDoc.roles.length; i++) {
if (newDoc.roles[i][0] === '_') {
throw({
forbidden:
'No system roles (starting with underscore) in users db.'
});
}
}
// no system names as names
if (newDoc.name[0] === '_') {
throw({forbidden: 'Username may not start with underscore.'});
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment