[SERVER-12611] Possible to introduce role graph cycle if cycle already exists Created: 04/Feb/14  Updated: 14/Jul/17  Resolved: 14/Jul/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.5
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Andreas Nilsson Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Won't Fix Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Introduce cycle

db.createRole({role:"A",privileges:[],roles:[]})
db.createRole({role:"B",privileges:[],roles:["A"]})
db.system.roles.update({_id:"admin.A"},{$addToSet:{roles:{"role":"B","db":"admin"}}})

Now it is possible to introduce another cycle

db.createRole({role:"C",privileges:[],roles:[]})
db.createRole({role:"D",privileges:[],roles:["C"]})
db.grantRolesToRole("C","D")

Participants:

 Description   

If there is a cycle in the role graph the cycle prevention does not work properly for updateRoles and grantRolesToRole.



 Comments   
Comment by Mira Carey [ 14/Jul/17 ]

Don't manually add cycles to system tables by writing to them directly

Generated at Thu Feb 08 03:29:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.