SERVER-37836 re-evaluate authorization for originating command in getMore

author: Isabella Siu <isabella.siu@10gen.com> 2019-01-11 11:16:24 -0500
committer: Isabella Siu <isabella.siu@10gen.com> 2019-02-08 14:34:32 -0500
commit: 8e5e745e98d33633e7d24a2629f22cdba79d9851 (patch)
tree: 9e02d92dadcf67140fe8707d792e55cf12b5443e /src/mongo/s/commands/commands_public.cpp
parent: 7a7baa2539ec169335086e45c7d0b85ba7cdb877 (diff)
download: mongo-8e5e745e98d33633e7d24a2629f22cdba79d9851.tar.gz
1 files changed, 21 insertions, 6 deletions
diff --git a/src/mongo/s/commands/commands_public.cpp b/src/mongo/s/commands/commands_public.cpp
index eb0a9f75704..d6f939f78b2 100644
--- a/src/mongo/s/commands/commands_public.cpp
+++ b/src/mongo/s/commands/commands_public.cpp
@@ -57,7 +57,8 @@ bool cursorCommandPassthrough(OperationContext* opCtx,
                               const CachedDatabaseInfo& dbInfo,
                               const BSONObj& cmdObj,
                               const NamespaceString& nss,
-                              BSONObjBuilder* out) {
+                              BSONObjBuilder* out,
+                              const PrivilegeVector& privileges) {
     auto response = executeCommandAgainstDatabasePrimary(
         opCtx,
         dbName,
@@ -74,7 +75,8 @@ bool cursorCommandPassthrough(OperationContext* opCtx,
                             cmdResponse.data,
                             nss,
                             Grid::get(opCtx)->getExecutorPool()->getArbitraryExecutor(),
-                            Grid::get(opCtx)->getCursorManager()));
+                            Grid::get(opCtx)->getCursorManager(),
+                            privileges));
 
     CommandHelpers::filterCommandReplyForPassthrough(transformedResponse, out);
     return true;
@@ -338,7 +340,7 @@ public:
                                const BSONObj& cmdObj) const final {
         AuthorizationSession* authzSession = AuthorizationSession::get(client);
 
-        if (authzSession->isAuthorizedToListCollections(dbname, cmdObj)) {
+        if (authzSession->checkAuthorizedToListCollections(dbname, cmdObj).isOK()) {
             return Status::OK();
         }
 
@@ -447,9 +449,15 @@ public:
         }
 
         return cursorCommandPassthrough(
-            opCtx, dbName, dbInfoStatus.getValue(), newCmd, nss, &result);
+            opCtx,
+            dbName,
+            dbInfoStatus.getValue(),
+            newCmd,
+            nss,
+            &result,
+            uassertStatusOK(AuthorizationSession::get(opCtx->getClient())
+                                ->checkAuthorizedToListCollections(dbName, cmdObj)));
     }
-
 } cmdListCollections;
 
 class CmdListIndexes : public BasicCommand {
@@ -498,7 +506,14 @@ public:
         const auto routingInfo =
             uassertStatusOK(Grid::get(opCtx)->catalogCache()->getCollectionRoutingInfo(opCtx, nss));
 
-        return cursorCommandPassthrough(opCtx, nss.db(), routingInfo.db(), cmdObj, nss, &result);
+        return cursorCommandPassthrough(
+            opCtx,
+            nss.db(),
+            routingInfo.db(),
+            cmdObj,
+            nss,
+            &result,
+            {Privilege(ResourcePattern::forExactNamespace(nss), ActionType::listIndexes)});
     }
 
 } cmdListIndexes;
author	Isabella Siu <isabella.siu@10gen.com>	2019-01-11 11:16:24 -0500
committer	Isabella Siu <isabella.siu@10gen.com>	2019-02-08 14:34:32 -0500
commit	8e5e745e98d33633e7d24a2629f22cdba79d9851 (patch)
tree	9e02d92dadcf67140fe8707d792e55cf12b5443e /src/mongo/s/commands/commands_public.cpp
parent	7a7baa2539ec169335086e45c7d0b85ba7cdb877 (diff)
download	mongo-8e5e745e98d33633e7d24a2629f22cdba79d9851.tar.gz