[SERVER-11866] Make renameCollectionSameDB only work if you have the same read permission on the source and dest collections Created: 26/Nov/13  Updated: 30/Oct/15  Resolved: 04/Dec/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.4
Fix Version/s: 2.5.5

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

Currently if you have renameCollectionSameDB on a database, you can rename any collection within that database. The problem is that you could potentially rename from a collection you don't have read access to to one that you do, which is potentially a security hole. We should only let renameCollectionSameDB work if you have read on source, or don't have read on dest.



 Comments   
Comment by Githook User [ 03/Dec/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11866 Make renameCollectionSameDB not work if you have find on the dest but not the source
Branch: master
https://github.com/mongodb/mongo/commit/22a03afae8a1a3b9e9218e8e9985f5bfb8d9ac04

Generated at Thu Feb 08 03:26:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.