Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13481

updateUser and updateRole commands should require revokeRole permission only on the databases of roles that are actually being removed

    XMLWordPrintableJSON

Details

    • Server Security

    Description

      Currently, any time the updateUser or updateRole commands modify the roles that a user or role possesses, they require the permission to revoke any role in the system. This is because we are setting the current roles array to a new one and don't know what roles might be being removed by this update. We should instead fetch the definition of the user/role being updated so we know what that user's/role's current roles in the authorization check. Once we know the roles it had previously and the roles that it's roles array is being set to, we can do a set difference to determine which roles are being removed and then only require the revokeRole privilege on the databases for the roles that are actually being removed.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            spencer@mongodb.com Spencer Brody (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: