-
Type: Task
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Security
-
Fully Compatible
-
Integration 18 (08/05/16), Integration 2016-08-29
Access control on views should work exactly as it does for collections.
- If you can(not) create a collection, then you should (not) be able to create a view
There are also some interesting security concerns to consider with regard to access control on a view's backing namespace:
- User can read a view when not authorized to read the view's backing namespace(s)
- If user is (not) authorized to read a collection, they can(not) read a view they create on top of it
However, this ticket *does not* cover authorization checks when calling getMore on a cursor returned by a view. (This means that a user authorized to read a view will still get an authorization error when calling getMore on that cursor.) The work for that will be tracked in SERVER-24771.
- depends on
-
SERVER-25448 Replace all usages of ClientBasic with Client
- Closed
- is depended on by
-
SERVER-25526 Merge views_authz.js into auth commands library
- Closed
- related to
-
SERVER-24771 Make queries on views return a cursor on that view
- Closed