From d430713c403fa6b065337cf7e480ed70940631ab Mon Sep 17 00:00:00 2001 From: Andy Schwerin Date: Wed, 3 Jul 2013 14:56:21 -0400 Subject: SERVER-1891 Consolidate command authorization checking logic. --- src/mongo/db/commands.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'src/mongo/db/commands.h') diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h index 5f52aa97de7..edaa185e867 100644 --- a/src/mongo/db/commands.h +++ b/src/mongo/db/commands.h @@ -197,9 +197,29 @@ namespace mongo { // Helper for setting errmsg and ok field in command result object. static void appendCommandStatus(BSONObjBuilder& result, bool ok, const std::string& errmsg); + static void appendCommandStatus(BSONObjBuilder& result, const Status& status); // Set by command line. Controls whether or not testing-only commands should be available. static int testCommandsEnabled; + + private: + /** + * Checks to see if the client is authorized to run the given command with the given + * parameters on the given named database. + * + * fromRepl is true if this command is running as part of oplog application, which for + * historic reasons has slightly different authorization semantics. TODO(schwerin): Check + * to see if this oddity can now be eliminated. + * + * Returns Status::OK() if the command is authorized. Most likely returns + * ErrorCodes::Unauthorized otherwise, but any return other than Status::OK implies not + * authorized. + */ + static Status _checkAuthorization(Command* c, + ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj, + bool fromRepl); }; bool _runCommands(const char *ns, BSONObj& jsobj, BufBuilder &b, BSONObjBuilder& anObjBuilder, bool fromRepl, int queryOptions); -- cgit v1.2.1