[SERVER-9609] Ensure users can only call getMore on cursors they created Created: 07/May/13 Updated: 12/Feb/18 Resolved: 22/Mar/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Querying, Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.5.5 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Tess Avitabile (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||||||||||||||||||||||
| Sprint: | Query 2017-03-27 | ||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||
| Description |
|
A ClientCursor should be associated with the set of users that were authenticated when it was created. A getMore should only succeed if the intersection of currently authenticated users and the set of users associated with the ClientCursor is nonempty (or the set of users associated with the ClientCursor is empty). |
| Comments |
| Comment by Tess Avitabile (Inactive) [ 12/Feb/18 ] |
|
That is correct. It is not desirable behavior, but we consider authenticating as two users at the same time to be an improper use of MongoDB. In the future, we intend to remove the ability to authenticate as two users at the same time. |
| Comment by Jared D. Cottrell [ 10/Feb/18 ] |
So if connection 1 is authenticated as both Alice and Bob when it issues a query that only Alice can perform but doesn't exhaust the cursor, can connection 2 then authenticate as Bob only and read the cursor with getMore? |
| Comment by Githook User [ 22/Mar/17 ] |
|
Author: {u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}Message: |
| Comment by Githook User [ 21/Mar/17 ] |
|
Author: {u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}Message: Revert " This reverts commit 9e7974e4b6e2b3fe5e7741dce6549624113af196. |
| Comment by Githook User [ 17/Mar/17 ] |
|
Author: {u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}Message: |