Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-27194

Views should require both "viewOn" and "pipeline" to be specified if modifying view when auth is enabled

    • Fully Compatible
    • ALL
    • Hide

      Launch mongod with --auth, then do

      assert.commandWorked(db.createView("view", "collection", [{ $match: { team: "query" } }] ));
      assert.commandWorked(db.runCommand( { collMod: "view", pipeline: [{ $sort: { team: -1 } }] } ));
      
      Show
      Launch mongod with --auth , then do assert.commandWorked(db.createView( "view" , "collection" , [{ $match: { team: "query" } }] )); assert.commandWorked(db.runCommand( { collMod: "view" , pipeline: [{ $sort: { team: -1 } }] } ));
    • Query 2016-12-12

      When auth is enabled, we should force users to specify both "viewOn" and "pipeline". This prevents users from reading sensitive information in the original "viewOn" by only changing "pipeline", or by exposing more information via lookup in the original "pipeline" by only changing "viewOn".

      Original Description

      In AuthorizationSession::checkAuthForCreateOrModifyView(), we construct a NamespaceString on the "viewOn" field of the command object, to make sure that the user has read privileges on that namespace. However, a user can validly collMod an existing view without specifying a new "viewOn". Because the authorization code always expects "viewOn" to be a field, this scenario causes an exception to be thrown.

      The correct behavior would be to first check if cmdObj["viewOn"] exists; if it does not, simply skip the call to checkAuthForAggregate().

            Assignee:
            kyle.suarez@mongodb.com Kyle Suarez
            Reporter:
            kyle.suarez@mongodb.com Kyle Suarez
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: