From eb46cc62a0d6e08e2cabc0862490d76f2833e8b1 Mon Sep 17 00:00:00 2001
From: Spencer T Brody <spencer@10gen.com>
Date: Fri, 6 Sep 2013 14:12:13 -0400
Subject: SERVER-9518 Store delegatable roles list in User object in memory

---
 src/mongo/db/auth/user.h | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'src/mongo/db/auth/user.h')

diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h
index 0e164797d33..f2d3cfbb385 100644
--- a/src/mongo/db/auth/user.h
+++ b/src/mongo/db/auth/user.h
@@ -62,6 +62,16 @@ namespace mongo {
          */
         const RoleNameIterator getRoles() const;
 
+        /**
+         * Returns an iterator that can be used to get the list of roles this user can delegate.
+         */
+        const RoleNameIterator getDelegatableRoles() const;
+
+        /**
+         * Returns whether or not this user is allowed to delegate the given role.
+         */
+        bool canDelegateRole(const RoleName& role) const;
+
         /**
          * Returns the CredentialData for this user.
          */
@@ -108,6 +118,16 @@ namespace mongo {
          */
         void addRoles(const std::vector<RoleName>& roles);
 
+        /**
+         * Adds the given role name to the list of roles that this user is allowed to delegate.
+         */
+        void addDelegatableRole(const RoleName& role);
+
+        /**
+         * Adds the given role names to the list of roles that this user is allowed to delegate.
+         */
+        void addDelegatableRoles(const std::vector<RoleName>& roles);
+
         /**
          * Adds the given privilege to the list of privileges this user is authorized for.
          */
@@ -153,7 +173,8 @@ namespace mongo {
         // Maps resource name to privilege on that resource
         ResourcePrivilegeMap _privileges;
 
-        unordered_set<RoleName> _roles;
+        unordered_set<RoleName> _roles; // Roles the user actually has privileges from
+        unordered_set<RoleName> _delegatableRoles; // Roles the user is allowed to delegate
 
         CredentialData _credentials;
 
-- 
cgit v1.2.1