SERVER-9518 Change webserver to use acquireUser to get user's password hash, rather than a direct call to getPrivilegeDocument

1 files changed, 15 insertions, 3 deletions

diff --git a/src/mongo/db/dbwebserver.cpp b/src/mongo/db/dbwebserver.cpp
index 2c6311d463a..d4598fed49e 100644
--- a/src/mongo/db/dbwebserver.cpp
+++ b/src/mongo/db/dbwebserver.cpp
@@ -32,6 +32,7 @@
 #include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/auth/user_name.h"
+#include "mongo/db/auth/user.h"
 #include "mongo/db/background.h"
 #include "mongo/db/cmdline.h"
 #include "mongo/db/commands.h"
@@ -109,9 +110,20 @@ namespace mongo {
 
                 // Only users in the admin DB are visible by the webserver
                 UserName userName(parms["username"], "admin");
-                BSONObj user = _webUsers->getAdminUser(userName);
-                if ( ! user.isEmpty() ) {
-                    string ha1 = user["pwd"].str();
+                User* user;
+                AuthorizationManager& authzManager =
+                        cc().getAuthorizationSession()->getAuthorizationManager();
+                Status status = authzManager.acquireUser(userName, &user);
+                if (!status.isOK()) {
+                    if (status.code() != ErrorCodes::UserNotFound) {
+                        uasserted(17051, status.reason());
+                    }
+                } else {
+                    uassert(17090,
+                            "External users don't have a password",
+                            !user->getCredentials().isExternal);
+                    string ha1 = user->getCredentials().password;
+                    authzManager.releaseUser(user);
                     string ha2 = md5simpledigest( (string)"GET" + ":" + parms["uri"] );
 
                     stringstream r;