diff options
| author | Charlie Swanson <charlie.swanson@mongodb.com> | 2016-06-17 16:56:54 -0400 |
|---|---|---|
| committer | Charlie Swanson <charlie.swanson@mongodb.com> | 2016-06-23 13:05:06 -0400 |
| commit | 17a143c17686a8103e26f833976c2d8fe91724a1 (patch) | |
| tree | e4e4f8da1c461b81379a6c776dd6d6d2c1c594eb /jstests/auth/lib | |
| parent | 652ec9286b5dbbf297d9236fdcc202be20811f43 (diff) | |
| download | mongo-17a143c17686a8103e26f833976c2d8fe91724a1.tar.gz | |
SERVER-24653 $graphLookup should check permissions on "from" collection.
Diffstat (limited to 'jstests/auth/lib')
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index d4213725685..2527e679c66 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -78,6 +78,11 @@ particular database. */ // constants + +// All roles that are specific to one database will be given only for 'firstDbName'. For example, +// when using the roles in 'roles_read', the 'read' role will only be granted on 'firstDbName'. In +// particular, this means that when 'runOnDb' is 'secondDbName', the test user with the 'read' role +// should not be able to perform read operations. var firstDbName = "roles_commands_1"; var secondDbName = "roles_commands_2"; var adminDbName = "admin"; @@ -277,6 +282,82 @@ var authCommandsLib = { }] }, { + testname: "aggregate_lookup", + command: { + aggregate: "foo", + pipeline: [ + {$lookup: {from: "bar", localField: "_id", foreignField: "_id", as: "results"}} + ] + }, + setup: function(db) { + db.createCollection("foo"); + db.createCollection("bar"); + }, + teardown: function(db) { + db.foo.drop(); + db.bar.drop(); + }, + testcases: [ + { + runOnDb: firstDbName, + roles: roles_read, + privileges: [ + {resource: {db: firstDbName, collection: "foo"}, actions: ["find"]}, + {resource: {db: firstDbName, collection: "bar"}, actions: ["find"]} + ] + }, + { + runOnDb: secondDbName, + roles: roles_readAny, + privileges: [ + {resource: {db: secondDbName, collection: "foo"}, actions: ["find"]}, + {resource: {db: secondDbName, collection: "bar"}, actions: ["find"]} + ] + } + ] + }, + { + testname: "aggregate_graphLookup", + command: { + aggregate: "foo", + pipeline: [{ + $graphLookup: { + from: "bar", + startWith: [1], + connectFromField: "_id", + connectToField: "barId", + as: "results" + } + }] + }, + setup: function(db) { + db.createCollection("foo"); + db.createCollection("bar"); + }, + teardown: function(db) { + db.foo.drop(); + db.bar.drop(); + }, + testcases: [ + { + runOnDb: firstDbName, + roles: roles_read, + privileges: [ + {resource: {db: firstDbName, collection: "foo"}, actions: ["find"]}, + {resource: {db: firstDbName, collection: "bar"}, actions: ["find"]} + ] + }, + { + runOnDb: secondDbName, + roles: roles_readAny, + privileges: [ + {resource: {db: secondDbName, collection: "foo"}, actions: ["find"]}, + {resource: {db: secondDbName, collection: "bar"}, actions: ["find"]} + ] + } + ] + }, + { testname: "appendOplogNote", command: {appendOplogNote: 1, data: {a: 1}}, skipSharded: true, |