SERVER-33881 move checkAuthorization to CommandInvocation

Explain commands already have a parsed _innerInvocation so they can now use that for their auth check.
author: Billy Donahue <billy.donahue@mongodb.com> 2018-04-05 16:53:12 -0400
committer: Billy Donahue <billy.donahue@mongodb.com> 2018-04-05 17:00:34 -0400
commit: 8b5a91133ea5ab272fed72b5d2ca0574899c270b (patch)
tree: 5dfd80a40781d1a3d0a9d8fc106795153f69f0b4 /src/mongo/db/commands.h
parent: bafdf4c440267d22bbf8052689fbcc4f1d0a123d (diff)
download: mongo-8b5a91133ea5ab272fed72b5d2ca0574899c270b.tar.gz
1 files changed, 4 insertions, 29 deletions
diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h
index 3fa2181b569..b01d366d866 100644
--- a/src/mongo/db/commands.h
+++ b/src/mongo/db/commands.h
@@ -305,13 +305,6 @@ public:
     }
 
     /**
-     * Checks if the client associated with the given OperationContext is authorized to run this
-     * command.
-     */
-    virtual Status checkAuthForRequest(OperationContext* opCtx,
-                                       const OpMsgRequest& request) const = 0;
-
-    /**
      * Redacts "cmdObj" in-place to a form suitable for writing to logs.
      *
      * The default implementation does nothing.
@@ -378,18 +371,6 @@ public:
                                      rpc::ReplyBuilderInterface* replyBuilder,
                                      const Command& command);
 
-    /**
-     * Checks to see if the client executing "opCtx" is authorized to run the given command with the
-     * given parameters on the given named database.
-     *
-     * Returns Status::OK() if the command is authorized.  Most likely returns
-     * ErrorCodes::Unauthorized otherwise, but any return other than Status::OK implies not
-     * authorized.
-     */
-    static Status checkAuthorization(Command* c,
-                                     OperationContext* opCtx,
-                                     const OpMsgRequest& request);
-
 private:
     // Counters for how many times this command has been executed and failed
     Counter64 _commandsExecuted;
@@ -499,8 +480,9 @@ public:
      * the client executing "opCtx" is authorized to run the given command
      * with the given parameters on the given named database.
      * Note: nonvirtual.
+     * The 'request' must outlive this CommandInvocation.
      */
-    void checkAuthorization(OperationContext* opCtx) const;
+    void checkAuthorization(OperationContext* opCtx, const OpMsgRequest& request) const;
 
 protected:
     ResourcePattern resourcePattern() const;
@@ -512,6 +494,8 @@ private:
      */
     virtual void doCheckAuthorization(OperationContext* opCtx) const = 0;
 
+    Status _checkAuthorizationImpl(OperationContext* opCtx, const OpMsgRequest& request) const;
+
     const Command* const _definition;
 };
 
@@ -627,15 +611,6 @@ private:
         // The default implementation of addRequiredPrivileges should never be hit.
         fassertFailed(16940);
     }
-
-    //
-    // Methods provided for subclasses if they implement above interface.
-    //
-
-    /**
-     * Calls checkAuthForOperation.
-     */
-    Status checkAuthForRequest(OperationContext* opCtx, const OpMsgRequest& request) const final;
 };
 
 /**
author	Billy Donahue <billy.donahue@mongodb.com>	2018-04-05 16:53:12 -0400
committer	Billy Donahue <billy.donahue@mongodb.com>	2018-04-05 17:00:34 -0400
commit	8b5a91133ea5ab272fed72b5d2ca0574899c270b (patch)
tree	5dfd80a40781d1a3d0a9d8fc106795153f69f0b4 /src/mongo/db/commands.h
parent	bafdf4c440267d22bbf8052689fbcc4f1d0a123d (diff)
download	mongo-8b5a91133ea5ab272fed72b5d2ca0574899c270b.tar.gz