SERVER-12621 narrow the localhost exception when auth is enabled

1 files changed, 7 insertions, 4 deletions

diff --git a/src/mongo/db/auth/authz_session_external_state_server_common.cpp b/src/mongo/db/auth/authz_session_external_state_server_common.cpp
index 80f24004533..b5c6f6a4bc3 100644
--- a/src/mongo/db/auth/authz_session_external_state_server_common.cpp
+++ b/src/mongo/db/auth/authz_session_external_state_server_common.cpp
@@ -41,7 +41,7 @@ namespace {
 } // namespace
 
     // NOTE: we default _allowLocalhost to true under the assumption that _checkShouldAllowLocalhost
-    // will always be called before any calls to shouldIgnoreAuthChecks.  If this is not the case,
+    // will always be called before any calls to shouldAllowLocalhost.  If this is not the case,
     // it could cause a security hole.
     AuthzSessionExternalStateServerCommon::AuthzSessionExternalStateServerCommon(
             AuthorizationManager* authzManager) :
@@ -70,10 +70,13 @@ namespace {
         }
     }
 
-    bool AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks() const {
+    bool AuthzSessionExternalStateServerCommon::shouldAllowLocalhost() const {
         ClientBasic* client = ClientBasic::getCurrent();
-        return !_authzManager->isAuthEnabled() ||
-                (_allowLocalhost && client->getIsLocalHostConnection());
+        return _allowLocalhost && client->getIsLocalHostConnection();
+    }
+
+    bool AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks() const {
+        return !_authzManager->isAuthEnabled();
     }
 
 } // namespace mongo