[SERVER-9446] No sanity check of role existence when creating users Created: 24/Apr/13  Updated: 11/Jul/16  Resolved: 20/Sep/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.3
Fix Version/s: 2.5.3

Type: Bug Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to SERVER-6246 Manipulate user objects exclusively v... Closed
Operating System: ALL
Participants:

 Description   

When calling AddUser to add a new user or modifying the roles array no verification is done that the role actually exists.

This allows for simple typos to cause unpredictable authorization behavior and potentially permission problems which are very difficult to troubleshoot. If the system allowed for custom defined roles the case would be even stronger.



 Comments   
Comment by Spencer Brody (Inactive) [ 20/Sep/13 ]

This was done as part of SERVER-6246.

Comment by David Hows [ 06/May/13 ]

This should also cover cases such as where the user exists only on a given database, such as the admin db only roles (readAnyDatabase/readWriteAnyDatabase/userAdminAnyDatabase/dbAdminAnyDatabase/clusterAdmin)

Generated at Thu Feb 08 03:20:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.