-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathindex.js
89 lines (77 loc) · 2.82 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/*
Copyright 2014, Marten de Vries
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
"use strict";
var wrappers = require("pouchdb-wrappers");
var createChangeslikeWrapper = require("pouchdb-changeslike-wrapper");
var Security = require("pouchdb-security");
var PouchDBPluginError = require("pouchdb-plugin-error");
exports.installSystemDBProtection = function (db) {
Security.installSecurityMethods.call(db);
wrappers.installWrapperMethods(db, systemWrappers);
};
exports.uninstallSystemDBProtection = function (db) {
wrappers.uninstallWrapperMethods(db, systemWrappers);
Security.uninstallSecurityMethods.call(db);
};
function adminOnlyWrapper(error, orig, args) {
var userCtx = (args.options || {}).userCtx || {
//admin party
name: null,
roles: ["_admin"]
};
if (userCtx.roles.indexOf("_admin") !== -1) {
//server admin can do everything
return orig();
}
return args.db.getSecurity().then(function (security) {
var dbAdmins = (security.admins || {});
var isDbAdmin = (
(dbAdmins.users || []).indexOf(userCtx.name) !== -1 ||
(dbAdmins.roles || []).some(function (role) {
return userCtx.roles.indexOf(role) !== -1;
})
);
if (!isDbAdmin) {
throw new PouchDBPluginError(error);
}
return orig();
});
}
function create401(urlName) {
return {
status: 401,
name: "unauthorized",
message: "Only admins can access " + urlName + " of system databases."
};
}
var systemWrappers = {};
systemWrappers.allDocs = adminOnlyWrapper.bind(null, create401("_all_docs"));
systemWrappers.changes = createChangeslikeWrapper(
adminOnlyWrapper.bind(null, create401("_changes"))
);
systemWrappers.query = adminOnlyWrapper.bind(null, create401("_view (or _temp_view)"));
//CouchDB just crashes because of the 404 below for these. Use this
//error instead because PouchDB doesn't crash on it.
systemWrappers.sync = createChangeslikeWrapper(adminOnlyWrapper.bind(null, create401(".sync()")));
systemWrappers["replicate.from"] = createChangeslikeWrapper(
adminOnlyWrapper.bind(null, create401(".replicate.from()"))
);
systemWrappers["replicate.to"] = createChangeslikeWrapper(
adminOnlyWrapper.bind(null, create401(".replicate.to()"))
);
systemWrappers.get = adminOnlyWrapper.bind(null, {
status: 404,
name: "not_found",
message: "missing"
});
systemWrappers.getAttachment = wrappers.get;