if no admin.system.users, allow access to everything from localhost

4 files changed, 32 insertions, 7 deletions

diff --git a/db/db.cpp b/db/db.cpp
index fb36a43bece..7d9d2b5e7b9 100644
--- a/db/db.cpp
+++ b/db/db.cpp
@@ -162,6 +162,8 @@ namespace mongo {
 
         try {
 
+			ai->isLocalHost = dbMsgPort.farEnd.isLocalHost();
+
             Message m;
             while ( 1 ) {
                 m.reset();
diff --git a/db/dbhelpers.h b/db/dbhelpers.h
index b606d75776f..d2b56a025e1 100644
--- a/db/dbhelpers.h
+++ b/db/dbhelpers.h
@@ -50,11 +50,11 @@ namespace mongo {
         static bool findOne(const char *ns, BSONObj query, BSONObj& result, bool requireIndex=false);
 
         /* Get/put the first object from a collection.  Generally only useful if the collection
-        only ever has a single object -- which is a "singleton collection".
+           only ever has a single object -- which is a "singleton collection".
 
-        You do not need to set the database before calling.
-
-        Returns: true if object exists.
+		   You do not need to set the database before calling.
+		   
+		   Returns: true if object exists.
         */
         static bool getSingleton(const char *ns, BSONObj& result);
         static void putSingleton(const char *ns, BSONObj obj);
diff --git a/db/security.cpp b/db/security.cpp
index c4174f7f720..81340aada0c 100644
--- a/db/security.cpp
+++ b/db/security.cpp
@@ -17,6 +17,8 @@ namespace mongo {
 
     bool noauth = true;
 
+	int AuthenticationInfo::warned;
+
     Security::Security(){
 #if defined(__linux__)
         devrandom = new ifstream("/dev/urandom", ios::binary|ios::in);
diff --git a/db/security.h b/db/security.h
index 5b5f69ea27c..9b22ff85793 100644
--- a/db/security.h
+++ b/db/security.h
@@ -19,6 +19,8 @@
 #pragma once
 
 #include <boost/thread/tss.hpp>
+#include "db.h"
+#include "dbhelpers.h"
 
 namespace mongo {
 
@@ -33,16 +35,35 @@ namespace mongo {
 
     class AuthenticationInfo : boost::noncopyable {
         map<string, Auth> m; // dbname -> auth
+		static int warned;
     public:
-        AuthenticationInfo() { }
+		bool isLocalHost;
+        AuthenticationInfo() { isLocalHost = false; }
         ~AuthenticationInfo() {
         }
-        void logout(const char *dbname) { m.erase(dbname); }
+        void logout(const char *dbname) { 
+			assert( dbMutexInfo.isLocked() );
+			m.erase(dbname); 
+		}
         void authorize(const char *dbname) { 
+			assert( dbMutexInfo.isLocked() );
             m[dbname].level = 2;
         }
         bool isAuthorized(const char *dbname) { 
-            return m[dbname].level == 2 || noauth;
+            if( m[dbname].level == 2 ) return true;
+			if( noauth ) return true;
+			if( isLocalHost ) { 
+				DBContext c("admin.system.users");
+				BSONObj result;
+				if( Helpers::getSingleton("admin.system.users", result) )
+					return false;
+				if( warned == 0 ) {
+					warned++;
+					log() << "warning: no users configured in admin.system.users, allowing localhost access" << endl;
+				}
+				return true;
+			}
+			return false;
         }
     };