SERVER-20364 Let find privilege -> killCursor privilege

author: Andreas Nilsson <andreas.nilsson@10gen.com> 2015-09-16 14:40:55 -0400
committer: Andreas Nilsson <andreas.nilsson@10gen.com> 2015-09-16 14:45:49 -0400
commit: 5cb8c7d9810f15ba6926afe9d16d81eeb25724e5 (patch)
tree: ef9467d696c976ab59f067943662eecaba1d02fd
parent: 4ea8fda0b0b2ddbc33bf8782f2fa53c554e1c50e (diff)
download: mongo-5cb8c7d9810f15ba6926afe9d16d81eeb25724e5.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp
index d49d270f06a..31eb04d3d7a 100644
--- a/src/mongo/db/auth/authorization_session.cpp
+++ b/src/mongo/db/auth/authorization_session.cpp
@@ -278,21 +278,25 @@ Status AuthorizationSession::checkAuthForKillCursors(const NamespaceString& ns,
                                                      long long cursorID) {
     // See implementation comments in checkAuthForGetMore().  This method looks very similar.
     if (ns.isListCollectionsGetMore()) {
-        if (!isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(ns.db()),
-                                              ActionType::killCursors)) {
+        if (!(isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(ns.db()),
+                                               ActionType::killCursors) ||
+              isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(ns.db()),
+                                               ActionType::listCollections))) {
             return Status(ErrorCodes::Unauthorized,
                           str::stream() << "not authorized to kill listCollections cursor on "
                                         << ns.ns());
         }
     } else if (ns.isListIndexesGetMore()) {
         NamespaceString targetNS = ns.getTargetNSForListIndexesGetMore();
-        if (!isAuthorizedForActionsOnNamespace(targetNS, ActionType::killCursors)) {
+        if (!(isAuthorizedForActionsOnNamespace(targetNS, ActionType::killCursors) ||
+              isAuthorizedForActionsOnNamespace(targetNS, ActionType::listIndexes))) {
             return Status(ErrorCodes::Unauthorized,
                           str::stream() << "not authorized to kill listIndexes cursor on "
                                         << ns.ns());
         }
     } else {
-        if (!isAuthorizedForActionsOnNamespace(ns, ActionType::killCursors)) {
+        if (!(isAuthorizedForActionsOnNamespace(ns, ActionType::killCursors) ||
+              isAuthorizedForActionsOnNamespace(ns, ActionType::find))) {
             return Status(ErrorCodes::Unauthorized,
                           str::stream() << "not authorized to kill cursor on " << ns.ns());
         }
author	Andreas Nilsson <andreas.nilsson@10gen.com>	2015-09-16 14:40:55 -0400
committer	Andreas Nilsson <andreas.nilsson@10gen.com>	2015-09-16 14:45:49 -0400
commit	5cb8c7d9810f15ba6926afe9d16d81eeb25724e5 (patch)
tree	ef9467d696c976ab59f067943662eecaba1d02fd
parent	4ea8fda0b0b2ddbc33bf8782f2fa53c554e1c50e (diff)
download	mongo-5cb8c7d9810f15ba6926afe9d16d81eeb25724e5.tar.gz