SERVER-9609 Ensure users can only call getMore on cursors they created

1 files changed, 12 insertions, 0 deletions

diff --git a/src/mongo/db/query/find.cpp b/src/mongo/db/query/find.cpp
index 62a08389e3f..903153d0824 100644
--- a/src/mongo/db/query/find.cpp
+++ b/src/mongo/db/query/find.cpp
@@ -33,6 +33,7 @@
 #include "mongo/db/query/find.h"
 
 #include "mongo/client/dbclientinterface.h"
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/catalog/collection.h"
 #include "mongo/db/catalog/database_holder.h"
 #include "mongo/db/client.h"
@@ -324,6 +325,16 @@ Message getMore(OperationContext* opCtx,
                               << " belongs to namespace "
                               << cc->nss().ns(),
                 nss == cc->nss());
+
+        // A user can only call getMore on their own cursor. If there were multiple users
+        // authenticated when the cursor was created, then at least one of them must be
+        // authenticated in order to run getMore on the cursor.
+        uassert(ErrorCodes::Unauthorized,
+                str::stream() << "cursor id " << cursorid
+                              << " was not created by the authenticated user",
+                AuthorizationSession::get(opCtx->getClient())
+                    ->isCoauthorizedWith(cc->getAuthenticatedUsers()));
+
         *isCursorAuthorized = true;
 
         if (cc->isReadCommitted())
@@ -653,6 +664,7 @@ std::string runQuery(OperationContext* opCtx,
         ClientCursorPin pinnedCursor = collection->getCursorManager()->registerCursor(
             {std::move(exec),
              nss,
+             AuthorizationSession::get(opCtx->getClient())->getAuthenticatedUserNames(),
              opCtx->recoveryUnit()->isReadingFromMajorityCommittedSnapshot(),
              upconvertQueryEntry(q.query, qr.nss(), q.ntoreturn, q.ntoskip)});
         ccId = pinnedCursor.getCursor()->cursorid();