[SERVER-13481] updateUser and updateRole commands should require revokeRole permission only on the databases of roles that are actually being removed Created: 03/Apr/14  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security, Usability
Affects Version/s: 2.6.0-rc3
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

Currently, any time the updateUser or updateRole commands modify the roles that a user or role possesses, they require the permission to revoke any role in the system. This is because we are setting the current roles array to a new one and don't know what roles might be being removed by this update. We should instead fetch the definition of the user/role being updated so we know what that user's/role's current roles in the authorization check. Once we know the roles it had previously and the roles that it's roles array is being set to, we can do a set difference to determine which roles are being removed and then only require the revokeRole privilege on the databases for the roles that are actually being removed.


Generated at Thu Feb 08 03:31:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.