diff options
author | James Wahlin <james@mongodb.com> | 2017-07-03 15:33:36 -0400 |
---|---|---|
committer | James Wahlin <james@mongodb.com> | 2017-07-25 12:24:49 -0400 |
commit | 5dcaad5f137eebc1915c0fc7b5078da4aa86f915 (patch) | |
tree | 3994b41708bce7cf5cbc5b7c9ba422db77f9bfb3 /src/mongo/db/pipeline/document_source_current_op.cpp | |
parent | 079763d2cd06776edf81f3ecf6c32ab66d1742ec (diff) | |
download | mongo-5dcaad5f137eebc1915c0fc7b5078da4aa86f915.tar.gz |
SERVER-29371 DocumentSource classes should provide auth requirements
Diffstat (limited to 'src/mongo/db/pipeline/document_source_current_op.cpp')
-rw-r--r-- | src/mongo/db/pipeline/document_source_current_op.cpp | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/src/mongo/db/pipeline/document_source_current_op.cpp b/src/mongo/db/pipeline/document_source_current_op.cpp index 6a37192f8ad..b49d7de702c 100644 --- a/src/mongo/db/pipeline/document_source_current_op.cpp +++ b/src/mongo/db/pipeline/document_source_current_op.cpp @@ -48,9 +48,40 @@ const StringData kShardFieldName = "shard"_sd; using boost::intrusive_ptr; REGISTER_DOCUMENT_SOURCE(currentOp, - LiteParsedDocumentSourceDefault::parse, + DocumentSourceCurrentOp::LiteParsed::parse, DocumentSourceCurrentOp::createFromBson); +std::unique_ptr<DocumentSourceCurrentOp::LiteParsed> DocumentSourceCurrentOp::LiteParsed::parse( + const AggregationRequest& request, const BSONElement& spec) { + // Need to check the value of allUsers; if true then inprog privilege is required. + if (spec.type() != BSONType::Object) { + uasserted(ErrorCodes::TypeMismatch, + str::stream() << "$currentOp options must be specified in an object, but found: " + << typeName(spec.type())); + } + + bool allUsers = false; + + // Check the spec for all fields named 'allUsers'. If any of them are 'true', we require + // the 'inprog' privilege. This avoids the possibility that a spec with multiple + // allUsers fields might allow an unauthorized user to view all operations. + for (auto&& elem : spec.embeddedObject()) { + if (elem.fieldNameStringData() == "allUsers"_sd) { + if (elem.type() != BSONType::Bool) { + uasserted(ErrorCodes::TypeMismatch, + str::stream() << "The 'allUsers' parameter of the $currentOp stage " + "must be a boolean value, but found: " + << typeName(elem.type())); + } + + allUsers = allUsers || elem.boolean(); + } + } + + return stdx::make_unique<DocumentSourceCurrentOp::LiteParsed>(allUsers); +} + + const char* DocumentSourceCurrentOp::getSourceName() const { return "$currentOp"; } |