diff --git a/src/mongo/db/catalog/collection_impl.cpp b/src/mongo/db/catalog/collection_impl.cpp
|
index a7197aedf5..efc9904cba 100644
|
--- a/src/mongo/db/catalog/collection_impl.cpp
|
+++ b/src/mongo/db/catalog/collection_impl.cpp
|
@@ -440,8 +440,33 @@ Status CollectionImpl::checkValidation(OperationContext* opCtx, const BSONObj& d
|
return Status::OK();
|
}
|
|
- if (validatorMatchExpr->matchesBSON(document))
|
- return Status::OK();
|
+ // If the API parameters were set on the operation, then reparse the validator with the new
|
+ // parameters.
|
+ if (APIParameters::get(opCtx).getParamsPassed()) {
|
+ // Before evaluating the match expression, inherit the API version parameters from
|
+ // the OperationContext.
|
+ auto expCtx = _validator.expCtxForFilter->copyWith(opCtx);
|
+
|
+ // If the validation action is "warn" or the level is "moderate", then disallow any
|
+ // encryption keywords. This is to prevent any plaintext data from showing up in the logs.
|
+ MatchExpressionParser::AllowedFeatureSet allowedFeatures =
|
+ MatchExpressionParser::kDefaultSpecialFeatures;
|
+ if (_validationAction == CollectionImpl::ValidationAction::WARN ||
|
+ _validationLevel == CollectionImpl::ValidationLevel::MODERATE)
|
+ allowedFeatures &= ~MatchExpressionParser::AllowedFeatures::kEncryptKeywords;
|
+
|
+ auto statusWithMatcher = MatchExpressionParser::parse(
|
+ _validator.validatorDoc, expCtx, ExtensionsCallbackNoop(), allowedFeatures);
|
+
|
+ if (!statusWithMatcher.isOK()) {
|
+ return statusWithMatcher.getStatus();
|
+ }
|
+ if (statusWithMatcher.getValue()->matchesBSON(document))
|
+ return Status::OK();
|
+ } else {
|
+ if (validatorMatchExpr->matchesBSON(document))
|
+ return Status::OK();
|
+ }
|