Details
Description
A ClientCursor should be associated with the set of users that were authenticated when it was created. A getMore should only succeed if the intersection of currently authenticated users and the set of users associated with the ClientCursor is nonempty (or the set of users associated with the ClientCursor is empty).
Attachments
Issue Links
- is documented by
-
DOCS-10023 Docs for SERVER-9609: Ensure users can only call getMore on cursors they created
-
- Closed
-
- related to
-
SERVER-20364 Cursor is not closed when querying system.profile collection with clusterMonitor role
-
- Closed
-
-
SERVER-27899 Privilege problems with aggregation
-
- Closed
-
-
SERVER-17856 users on mongods should always be able to run currentOp and killOp on their own operations
-
- Closed
-
-
SERVER-28260 Create a killAnyCursor privilege
-
- Closed
-
-
SERVER-8369 kill cursor of an internal only ClientCursor used for yielding could cause memory corruption
-
- Closed
-