A ClientCursor is associated with the set of users that were authenticated when it was created.
A killCursors should only succeed if the intersection of currently authenticated users and the set of users associated with the ClientCursor is nonempty (or the set of users associated with the ClientCursor is empty), or if the user has the killAnyCursor privilege for that collection.
- causes
-
SERVER-32169 A cursor created with a session cannot be killed outside that session
- Closed
- is related to
-
SERVER-9609 Ensure users can only call getMore on cursors they created
- Closed
- related to
-
SERVER-17856 users on mongods should always be able to run currentOp and killOp on their own operations
- Closed