Details
-
Bug
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
-
None
-
Server Security
-
ALL
-
Platforms 2017-01-23
-
0
Description
It appears that in 2.6, while making the system.* collections harder to work directly with things seem to have gotten perhaps a bit too overzealous.
In particular, should someone have a collection names system.users in a database other than admin, it is effectively useless, yet a source of great confusion to some.
From https://github.com/mongodb/mongo/blame/562c8cb3faff5e9fc0acdc45db8dc2d498eb2000/src/mongo/db/catalog/database.cpp#L342 it would make sense for s.isSystem() to check if it's in the admin database or not.
Repro:
- make a table called system.users in any database but admin.
- attempt to delete it.
- fail
- give yourself __system role.
- still fail.