SERVER-7572 Only call addRequiredPrivileges on commands if auth is enabled

author: Spencer T Brody <spencer@10gen.com> 2012-12-05 20:28:56 -0500
committer: Spencer T Brody <spencer@10gen.com> 2012-12-07 11:48:02 -0500
commit: 6da1877e296585e7c435fd6324cafbacf12f7866 (patch)
tree: e0cc12a9c43e10efa562125b6ad48421b26cfa20 /src/mongo/s
parent: ce21fd9e58893d9a2d8b036aed6b5b14ad44f93d (diff)
download: mongo-6da1877e296585e7c435fd6324cafbacf12f7866.tar.gz
1 files changed, 16 insertions, 13 deletions
diff --git a/src/mongo/s/commands_public.cpp b/src/mongo/s/commands_public.cpp
index 53a8272fc12..be80cbe36a2 100644
--- a/src/mongo/s/commands_public.cpp
+++ b/src/mongo/s/commands_public.cpp
@@ -1828,7 +1828,7 @@ namespace mongo {
         if ( !p ) return false;
         if ( strcmp(p, ".$cmd") != 0 ) return false;
 
-        bool ok = false;
+        bool ok = true;
 
         BSONElement e = jsobj.firstElement();
         map<string,Command*>::iterator i;
@@ -1844,26 +1844,29 @@ namespace mongo {
 
             char cl[256];
             nsToDatabase(ns, cl);
-            std::vector<Privilege> privileges;
-            c->addRequiredPrivileges(cl, jsobj, &privileges);
-            if (c->requiresAuth() &&
-                    (!client->getAuthorizationManager()->checkAuthForPrivileges(privileges).isOK()
-                            || !ai->isAuthorizedForLock(cl, c->locktype()))) {
-                ok = false;
-                errmsg = "unauthorized";
-                anObjBuilder.append("note", str::stream() << "unauthorized for command: " <<
-                                    e.fieldName() << " on database " << cl);
+            if (!noauth) {
+                std::vector<Privilege> privileges;
+                c->addRequiredPrivileges(cl, jsobj, &privileges);
+                AuthorizationManager* authManager = client->getAuthorizationManager();
+                if (c->requiresAuth() && (!authManager->checkAuthForPrivileges(privileges).isOK()
+                                || !ai->isAuthorizedForLock(cl, c->locktype()))) {
+                    ok = false;
+                    errmsg = "unauthorized";
+                    anObjBuilder.append("note", str::stream() << "unauthorized for command: " <<
+                                        e.fieldName() << " on database " << cl);
+                }
             }
-            else if( c->adminOnly() && c->localHostOnlyIfNoAuth( jsobj ) && noauth && !ai->isLocalHost() ) {
+            if (ok && c->adminOnly() && c->localHostOnlyIfNoAuth(jsobj) && noauth &&
+                    !ai->isLocalHost()) {
                 ok = false;
                 errmsg = "unauthorized: this command must run from localhost when running db without auth";
                 log() << "command denied: " << jsobj.toString() << endl;
             }
-            else if ( c->adminOnly() && !startsWith(ns, "admin.") ) {
+            if (ok && c->adminOnly() && !startsWith(ns, "admin.")) {
                 ok = false;
                 errmsg = "access denied - use admin db";
             }
-            else if ( jsobj.getBoolField( "help" ) ) {
+            if (ok && jsobj.getBoolField("help")) {
                 stringstream help;
                 help << "help for: " << e.fieldName() << " ";
                 c->help( help );
author	Spencer T Brody <spencer@10gen.com>	2012-12-05 20:28:56 -0500
committer	Spencer T Brody <spencer@10gen.com>	2012-12-07 11:48:02 -0500
commit	6da1877e296585e7c435fd6324cafbacf12f7866 (patch)
tree	e0cc12a9c43e10efa562125b6ad48421b26cfa20 /src/mongo/s
parent	ce21fd9e58893d9a2d8b036aed6b5b14ad44f93d (diff)
download	mongo-6da1877e296585e7c435fd6324cafbacf12f7866.tar.gz