-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 3.4.0-rc5
-
Component/s: Security
-
Fully Compatible
-
ALL
-
-
Query 2016-12-12
When auth is enabled, we should force users to specify both "viewOn" and "pipeline". This prevents users from reading sensitive information in the original "viewOn" by only changing "pipeline", or by exposing more information via lookup in the original "pipeline" by only changing "viewOn".
Original Description
In AuthorizationSession::checkAuthForCreateOrModifyView(), we construct a NamespaceString on the "viewOn" field of the command object, to make sure that the user has read privileges on that namespace. However, a user can validly collMod an existing view without specifying a new "viewOn". Because the authorization code always expects "viewOn" to be a field, this scenario causes an exception to be thrown.
The correct behavior would be to first check if cmdObj["viewOn"] exists; if it does not, simply skip the call to checkAuthForAggregate().
- is related to
-
SERVER-26765 Move views tests into jsCore
- Closed