diff options
author | Ian Boros <ian.boros@10gen.com> | 2018-02-14 14:46:33 -0500 |
---|---|---|
committer | Ian Boros <ian.boros@10gen.com> | 2018-02-20 13:25:49 -0500 |
commit | 9e428f7bf5e6e6163f6bb9deafec15961995813c (patch) | |
tree | e28466f5f7ca3f5181eccd73b375b3f45e4136b6 | |
parent | 9d1a7c5be9edbfdd039723ee91455f35b5ecc948 (diff) | |
download | mongo-9e428f7bf5e6e6163f6bb9deafec15961995813c.tar.gz |
SERVER-33331 Add test cross_user_getmore_has_node_side_effects.js
-rw-r--r-- | jstests/noPassthrough/cross_user_getmore_has_no_side_effects.js | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/jstests/noPassthrough/cross_user_getmore_has_no_side_effects.js b/jstests/noPassthrough/cross_user_getmore_has_no_side_effects.js new file mode 100644 index 00000000000..04eadff0242 --- /dev/null +++ b/jstests/noPassthrough/cross_user_getmore_has_no_side_effects.js @@ -0,0 +1,63 @@ +// Test that a user is not allowed to getMore a cursor they did not create, and that such a failed +// getMore will leave the cursor unaffected, so that a subsequent getMore by the original author +// will work. +(function() { + const st = new ShardingTest({shards: 2, config: 1, other: {keyFile: "jstests/libs/key1"}}); + const kDBName = "test"; + const adminDB = st.s.getDB('admin'); + const testDB = st.s.getDB(kDBName); + + jsTest.authenticate(st.shard0); + + const adminUser = {db: "admin", username: "foo", password: "bar"}; + const userA = {db: "test", username: "a", password: "pwd"}; + const userB = {db: "test", username: "b", password: "pwd"}; + + function login(userObj) { + st.s.getDB(userObj.db).auth(userObj.username, userObj.password); + } + + function logout(userObj) { + st.s.getDB(userObj.db).runCommand({logout: 1}); + } + + adminDB.createUser( + {user: adminUser.username, pwd: adminUser.password, roles: jsTest.adminUserRoles}); + + login(adminUser); + + let coll = testDB.security_501; + coll.drop(); + + for (let i = 0; i < 100; i++) { + assert.writeOK(coll.insert({_id: i})); + } + + // Create our two users. + for (let user of[userA, userB]) { + testDB.createUser({ + user: user.username, + pwd: user.password, + roles: [{role: "readWriteAnyDatabase", db: "admin"}] + }); + } + logout(adminUser); + + // As userA, run a find and get a cursor. + login(userA); + const cursorID = + assert.commandWorked(testDB.runCommand({find: coll.getName(), batchSize: 2})).cursor.id; + logout(userA); + + // As userB, attempt to getMore the cursor ID. + login(userB); + assert.commandFailed(testDB.runCommand({getMore: cursorID, collection: coll.getName()})); + logout(userB); + + // As user A again, try to getMore the cursor. + login(userA); + assert.commandWorked(testDB.runCommand({getMore: cursorID, collection: coll.getName()})); + logout(userA); + + st.stop(); +})(); |