Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-27194

Views should require both "viewOn" and "pipeline" to be specified if modifying view when auth is enabled

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 3.4.0-rc5
    • 3.4.1, 3.5.1
    • Security
    • Fully Compatible
    • ALL
    • Hide

      Launch mongod with --auth, then do

      assert.commandWorked(db.createView("view", "collection", [{ $match: { team: "query" } }] ));
      assert.commandWorked(db.runCommand( { collMod: "view", pipeline: [{ $sort: { team: -1 } }] } ));
      

      Show
      Launch mongod with --auth , then do assert.commandWorked(db.createView( "view" , "collection" , [{ $match: { team: "query" } }] )); assert.commandWorked(db.runCommand( { collMod: "view" , pipeline: [{ $sort: { team: -1 } }] } ));
    • Query 2016-12-12

    Description

      When auth is enabled, we should force users to specify both "viewOn" and "pipeline". This prevents users from reading sensitive information in the original "viewOn" by only changing "pipeline", or by exposing more information via lookup in the original "pipeline" by only changing "viewOn".

      Original Description

      In AuthorizationSession::checkAuthForCreateOrModifyView(), we construct a NamespaceString on the "viewOn" field of the command object, to make sure that the user has read privileges on that namespace. However, a user can validly collMod an existing view without specifying a new "viewOn". Because the authorization code always expects "viewOn" to be a field, this scenario causes an exception to be thrown.

      The correct behavior would be to first check if cmdObj["viewOn"] exists; if it does not, simply skip the call to checkAuthForAggregate().

      Attachments

        Issue Links

          Activity

            People

              kyle.suarez@mongodb.com Kyle Suarez
              kyle.suarez@mongodb.com Kyle Suarez
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: