Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-2467

[3.0.4 Backport] Update UserHasDocAccess to check most recent rather than rev



    • Improvement
    • Resolution: Fixed
    • Critical
    • 3.0.4
    • None
    • SyncGateway
    • Security Level: Public
    • None


      Currently before we send a revocation / removal message in 3.x we first check whether the user has access to that doc / revision through another grant. If they have access through another grant we won't send the revocation / removal. 

      At present there is a situation in which we could end up revoking rev 2 leaving channel A when the user has access to rev 3 through channel B. If there are multiple replications to one client, one running A and one running B we could end up getting into a race condition where the revocation will arrive last and purge the document from the device.

      One possible solution is to ignore the revision and do a check to see if the user has access to the most recent version of the document.

      A couple things to verify:

      1. This is only the case if CBL ignores the rev and deleted the document based on doc id - I assume this is the case.
      2. Explore any edge cases to ensure this wouldn't cause any adverse affects which would dimish security
      3. Would this be better suited for CBL or SGW (or both)



        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.



              adamf Adam Fraser
              jacques.rascagneres Jacques Rascagneres
              0 Vote for this issue
              1 Start watching this issue



                Gerrit Reviews

                  There are no open Gerrit changes