SERVER-9609 Ensure users can only call getMore on cursors they created

author: Tess Avitabile <tess.avitabile@mongodb.com> 2017-03-21 11:22:11 -0400
committer: Tess Avitabile <tess.avitabile@mongodb.com> 2017-03-22 13:09:21 -0400
commit: d66405f651b0a49a06aacb286e3d1740a0b020af (patch)
tree: 86f20f45d29d63b53137772c13ea8e917193b18e /src/mongo/s/query/store_possible_cursor.cpp
parent: 70151a3b5cc65bd1b16831c523a6f5b477b82c3d (diff)
download: mongo-d66405f651b0a49a06aacb286e3d1740a0b020af.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/src/mongo/s/query/store_possible_cursor.cpp b/src/mongo/s/query/store_possible_cursor.cpp
index 8647871b6a7..4f53b2441bc 100644
--- a/src/mongo/s/query/store_possible_cursor.cpp
+++ b/src/mongo/s/query/store_possible_cursor.cpp
@@ -32,6 +32,7 @@
 
 #include "mongo/base/status_with.h"
 #include "mongo/bson/bsonobj.h"
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/query/cursor_response.h"
 #include "mongo/s/query/cluster_client_cursor_impl.h"
 #include "mongo/s/query/cluster_client_cursor_params.h"
@@ -58,7 +59,9 @@ StatusWith<BSONObj> storePossibleCursor(OperationContext* opCtx,
         return cmdResult;
     }
 
-    ClusterClientCursorParams params(incomingCursorResponse.getValue().getNSS());
+    ClusterClientCursorParams params(
+        incomingCursorResponse.getValue().getNSS(),
+        AuthorizationSession::get(opCtx->getClient())->getAuthenticatedUserNames());
     params.remotes.emplace_back(server, incomingCursorResponse.getValue().getCursorId());
author	Tess Avitabile <tess.avitabile@mongodb.com>	2017-03-21 11:22:11 -0400
committer	Tess Avitabile <tess.avitabile@mongodb.com>	2017-03-22 13:09:21 -0400
commit	d66405f651b0a49a06aacb286e3d1740a0b020af (patch)
tree	86f20f45d29d63b53137772c13ea8e917193b18e /src/mongo/s/query/store_possible_cursor.cpp
parent	70151a3b5cc65bd1b16831c523a6f5b477b82c3d (diff)
download	mongo-d66405f651b0a49a06aacb286e3d1740a0b020af.tar.gz