diff options
author | Jason Rassi <rassi@10gen.com> | 2015-04-25 12:51:24 -0400 |
---|---|---|
committer | Jason Rassi <rassi@10gen.com> | 2015-04-28 16:38:23 -0400 |
commit | 5b80159eeb2332a5e8e79e30de27c2dd72c30a18 (patch) | |
tree | 8034982646b4c5afd06910f5262b22143f2361a1 /src/mongo/db/ops | |
parent | f98df94031c60c3facc2fb4863ff06dc2b911bec (diff) | |
download | mongo-5b80159eeb2332a5e8e79e30de27c2dd72c30a18.tar.gz |
SERVER-18111 Forbid most user operations against "system.profile"
Forbids user writes to "system.profile". Notably, this also prevents
"system.profile" from being used as a source or target from
renameCollection.
Creation, drop, and capped conversion of "system.profile" remain
allowed.
Diffstat (limited to 'src/mongo/db/ops')
-rw-r--r-- | src/mongo/db/ops/insert.cpp | 8 | ||||
-rw-r--r-- | src/mongo/db/ops/insert.h | 11 |
2 files changed, 16 insertions, 3 deletions
diff --git a/src/mongo/db/ops/insert.cpp b/src/mongo/db/ops/insert.cpp index 715895830da..38a2a478043 100644 --- a/src/mongo/db/ops/insert.cpp +++ b/src/mongo/db/ops/insert.cpp @@ -141,6 +141,14 @@ namespace mongo { } Status userAllowedWriteNS( StringData db, StringData coll ) { + if ( coll == "system.profile" ) { + return Status( ErrorCodes::BadValue, + str::stream() << "cannot write to '" << db << ".system.profile'" ); + } + return userAllowedCreateNS( db, coll ); + } + + Status userAllowedCreateNS( StringData db, StringData coll ) { // validity checking if ( db.size() == 0 ) diff --git a/src/mongo/db/ops/insert.h b/src/mongo/db/ops/insert.h index c62985f2ec3..f55f8e80ea6 100644 --- a/src/mongo/db/ops/insert.h +++ b/src/mongo/db/ops/insert.h @@ -41,12 +41,17 @@ namespace mongo { /** - * check if this is a collection _any_ user can write to - * does NOT to permission checking, that is elsewhere - * for example, can't write to foo.system.bar + * Returns Status::OK() if this namespace is valid for user write operations. If not, returns + * an error Status. */ Status userAllowedWriteNS( StringData db, StringData coll ); Status userAllowedWriteNS( StringData ns ); Status userAllowedWriteNS( const NamespaceString& ns ); + /** + * Returns Status::OK() if the namespace described by (db, coll) is valid for user create + * operations. If not, returns an error Status. + */ + Status userAllowedCreateNS( StringData db, StringData coll ); + } |