Details
-
Improvement
-
Resolution: Unresolved
-
Major - P3
-
None
-
2.6.0-rc3
-
Server Security
Description
Currently, any time the updateUser or updateRole commands modify the roles that a user or role possesses, they require the permission to revoke any role in the system. This is because we are setting the current roles array to a new one and don't know what roles might be being removed by this update. We should instead fetch the definition of the user/role being updated so we know what that user's/role's current roles in the authorization check. Once we know the roles it had previously and the roles that it's roles array is being set to, we can do a set difference to determine which roles are being removed and then only require the revokeRole privilege on the databases for the roles that are actually being removed.