Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-24724

Views works with authorization

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.11
    • Component/s: Security
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Sprint:
      Integration 18 (08/05/16), Integration 2016-08-29

      Description

      Access control on views should work exactly as it does for collections.

      • If you can(not) create a collection, then you should (not) be able to create a view

      There are also some interesting security concerns to consider with regard to access control on a view's backing namespace:

      • User can read a view when not authorized to read the view's backing namespace(s)
      • If user is (not) authorized to read a collection, they can(not) read a view they create on top of it

      However, this ticket *does not* cover authorization checks when calling getMore on a cursor returned by a view. (This means that a user authorized to read a view will still get an authorization error when calling getMore on that cursor.) The work for that will be tracked in SERVER-24771.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kyle.suarez Kyle Suarez
              Reporter:
              kyle.suarez Kyle Suarez
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: