Details
-
Improvement
-
Resolution: Won't Do
-
Major - P3
-
None
-
None
-
0.2
Description
In our documentation, we say that the find actionType grants you permission to run listCollections.
Say we create a custom role that grants the find actionType on some database:
> db.runCommand({
|
createRole: "findRole",
|
privileges: [ { resource: { db: "test", collection: "" }, actions: [ "find" ] } ],
|
roles: []
|
})
|
A user with the "findRole" role will not be able to run listCollections. This is subtle. It's because specifying empty string as the collection for a resource excludes system collections, and we require permissions on system.namespaces to run listCollections.
While nothing in our documentation is strictly wrong, it is certainly misleading.