diff options
Diffstat (limited to 'src/mongo/db/auth/authorization_session.h')
-rw-r--r-- | src/mongo/db/auth/authorization_session.h | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index f2e6fd0c91c..3e75e0ed381 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -174,6 +174,25 @@ public: // identifier. Status checkAuthForKillCursors(const NamespaceString& ns, long long cursorID); + // Checks if this connection has the privileges necessary to run the aggregation pipeline + // specified in 'cmdObj' on the namespace 'ns'. + Status checkAuthForAggregate(const NamespaceString& ns, const BSONObj& cmdObj); + + // Checks if this connection has the privileges necessary to create 'ns' with the options + // supplied in 'cmdObj'. + Status checkAuthForCreate(const NamespaceString& ns, const BSONObj& cmdObj); + + // Checks if this connection has the privileges necessary to modify 'ns' with the options + // supplied in 'cmdObj'. + Status checkAuthForCollMod(const NamespaceString& ns, const BSONObj& cmdObj); + + // Checks if this connection has the privileges necessary to create or modify the view 'ns'. + // Call this function after verifying that the user has the 'createCollection' or 'collMod' + // action, respectively. + // + // 'cmdObj' must have a String field named 'viewOn'. + Status checkAuthForCreateOrModifyView(const NamespaceString& ns, const BSONObj& cmdObj); + // Checks if this connection has the privileges necessary to grant the given privilege // to a role. Status checkAuthorizedToGrantPrivilege(const Privilege& privilege); @@ -274,6 +293,13 @@ private: // lock on the admin database (to update out-of-date user privilege information). bool _isAuthorizedForPrivilege(const Privilege& privilege); + // Helper for recursively checking for privileges in an aggregation pipeline. + void _addPrivilegesForStage(const std::string& db, + const BSONObj& cmdObj, + PrivilegeVector* requiredPrivileges, + BSONObj stageSpec, + bool haveRecursed = false); + std::unique_ptr<AuthzSessionExternalState> _externalState; // All Users who have been authenticated on this connection. |