[SERVER-10923] $out can overwrite reserved collections in the "local" database Created: 26/Sep/13  Updated: 10/Dec/14  Resolved: 26/Sep/13

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: 2.5.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Matt Dannenberg Assignee: Mathias Stearn
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

this could completely wreck replication
perhaps we should disallow $out on local?



 Comments   
Comment by Andy Schwerin [ 26/Sep/13 ]

Hard to say. It's a mish-mash, now, but I would like to eventually get to a place where we use one mechanism for all of these access controls. If this is a bug, it's not about aggregation, per se.

Comment by Matt Dannenberg [ 26/Sep/13 ]

I can. I guess we shouldn't be protecting against this except with auth?

Comment by Andy Schwerin [ 26/Sep/13 ]

Can you insert into said collections?

What about with access control enabled (--auth)? (May want to re-test after SERVER-1105 and SERVER-8580)

Generated at Thu Feb 08 03:24:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.