[SERVER-5120] readonly user can save data through mapreduce function with a out-collectionName Created: 28/Feb/12  Updated: 29/Feb/12  Resolved: 29/Feb/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 1.8.0
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: kimmking Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

windows-release version


Operating System: ALL
Participants:

 Description   

readonly user can save data through mapreduce function with a out-collectionName
1、create a readonly user on a db
2、use this user to connect and auth on command line
3、test "readOnly" works well by db.coll.save,then it fail and print "unauthorized"
// but ...
4、create a simple map-reduce function test, such http://api.mongodb.org/wiki/current/MapReduce.html, Examples => Shell Example 1, and specify out-param with a name "coll".
5、after map-reduce finish, we will see the result in the "coll".

in another words, with a magic map/reduce function, a readOnly user can save anything...
it's terrible.



 Comments   
Comment by Eliot Horowitz (Inactive) [ 29/Feb/12 ]

See SERVER-3345

Generated at Thu Feb 08 03:07:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.