Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-92446

Update with $where requires additional privileges

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Query Execution
    • Fully Compatible
    • ALL
    • v8.0, v7.3, v7.0, v6.0, v5.0
    • Hide

      python3 buildscripts/resmoke.py run --suite=core jstests/core/query/where/where_system_js.js --mongodSetParameters "

      {'internalQueryFindCommandBatchSize':1}

      "

      Show
      python3 buildscripts/resmoke.py run --suite=core jstests/core/query/where/where_system_js.js --mongodSetParameters " {'internalQueryFindCommandBatchSize':1} "
    • 0

      Queries executed via $where may do getMore which trigger an assertion in the security auth contracts that commands do not need more privileges then they declare in IDL. This occurs because the getMore is executed on the same client as the update command. The checks are both commands are merged together. The fix is to add these getMore privileges to update.

            Assignee:
            rui.liu@mongodb.com Rui Liu
            Reporter:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: