readonly user can save data through mapreduce function with a out-collectionName

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Duplicate
    • Priority: Critical - P2
    • None
    • Affects Version/s: 1.8.0
    • Component/s: Security
    • None
    • Environment:
      windows-release version
    • ALL
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      readonly user can save data through mapreduce function with a out-collectionName
      1、create a readonly user on a db
      2、use this user to connect and auth on command line
      3、test "readOnly" works well by db.coll.save,then it fail and print "unauthorized"
      // but ...
      4、create a simple map-reduce function test, such http://api.mongodb.org/wiki/current/MapReduce.html, Examples => Shell Example 1, and specify out-param with a name "coll".
      5、after map-reduce finish, we will see the result in the "coll".

      in another words, with a magic map/reduce function, a readOnly user can save anything...
      it's terrible.

            Assignee:
            Unassigned
            Reporter:
            kimmking
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: