Problem:
After the user is auth'ed for the Admin DB, it appears that this authorization is kept for the duration of the shell. This allows a user that does not have access right to admin to obtain this privileges.

Test Case:

/* Correctly checks for admin rights */
MongoDB shell version: 1.8.0
connecting to: test
> db.auth("thetest","xxx");
1
> use admin
switched to db admin
> show collections
Sun Jun 5 12:47:59 uncaught exception: error: {
"$err" : "unauthorized db:admin lock type:-1 client:127.0.0.1",
"code" : 10057
}

/* Incorrectly checks for amin rights */
MongoDB shell version: 1.8.0
connecting to: test
> use admin
switched to db admin
> db.auth("theadmin","yyy");
1
> show collections;
system.indexes
system.profile
system.users
> use test
switched to db test
> db.auth("thetest","xxx");
1
> use admin
switched to db admin
> show collections;
system.indexes
system.profile
system.users