[SERVER-9609] Ensure users can only call getMore on cursors they created Created: 07/May/13  Updated: 12/Feb/18  Resolved: 22/Mar/17

Status: Closed
Project: Core Server
Component/s: Querying, Security
Affects Version/s: None
Fix Version/s: 3.5.5

Type: Improvement Priority: Major - P3
Reporter: Andy Schwerin Assignee: Tess Avitabile (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-10023 Docs for SERVER-9609: Ensure users ca... Closed
Duplicate
Related
related to SERVER-20364 Cursor is not closed when querying sy... Closed
related to SERVER-27899 Privilege problems with aggregation Closed
related to SERVER-17856 users on mongods should always be abl... Closed
related to SERVER-28260 Create a killAnyCursor privilege Closed
related to SERVER-8369 kill cursor of an internal only Clien... Closed
Backwards Compatibility: Minor Change
Sprint: Query 2017-03-27
Participants:

 Description   

A ClientCursor should be associated with the set of users that were authenticated when it was created. A getMore should only succeed if the intersection of currently authenticated users and the set of users associated with the ClientCursor is nonempty (or the set of users associated with the ClientCursor is empty).



 Comments   
Comment by Tess Avitabile (Inactive) [ 12/Feb/18 ]

That is correct. It is not desirable behavior, but we consider authenticating as two users at the same time to be an improper use of MongoDB. In the future, we intend to remove the ability to authenticate as two users at the same time.

Comment by Jared D. Cottrell [ 10/Feb/18 ]

A ClientCursor should be associated with the set of users that were authenticated when it was created. A getMore should only succeed if the intersection of currently authenticated users and the set of users associated with the ClientCursor is nonempty (or the set of users associated with the ClientCursor is empty).

So if connection 1 is authenticated as both Alice and Bob when it issues a query that only Alice can perform but doesn't exhaust the cursor, can connection 2 then authenticate as Bob only and read the cursor with getMore?

Comment by Githook User [ 22/Mar/17 ]

Author:

{u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}

Message: SERVER-9609 Ensure users can only call getMore on cursors they created
Branch: master
https://github.com/mongodb/mongo/commit/d66405f651b0a49a06aacb286e3d1740a0b020af

Comment by Githook User [ 21/Mar/17 ]

Author:

{u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}

Message: Revert "SERVER-9609 Ensure users can only call getMore on cursors they created"

This reverts commit 9e7974e4b6e2b3fe5e7741dce6549624113af196.
Branch: master
https://github.com/mongodb/mongo/commit/cbbdb02faead044e07b5a7d957298cdc07cc9258

Comment by Githook User [ 17/Mar/17 ]

Author:

{u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}

Message: SERVER-9609 Ensure users can only call getMore on cursors they created
Branch: master
https://github.com/mongodb/mongo/commit/9e7974e4b6e2b3fe5e7741dce6549624113af196

Generated at Thu Feb 08 03:20:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.