<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 07:58:26 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DOCS-9473] Document behavior of views when auth is enabled</title>
                <link>https://jira.mongodb.org/browse/DOCS-9473</link>
                <project id="10380" key="DOCS">Documentation</project>
                    <description>&lt;p&gt;We should document how views behave when auth is enabled, because commands that interact with views require specific actions or have restrictions in their authorization checks:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;b&gt;create&lt;/b&gt;: You must have the &lt;tt&gt;createCollection&lt;/tt&gt; action to create a view. There is also another rule, depending on whether or not you can read the view you&apos;re creating:
	&lt;ul&gt;
		&lt;li&gt;If you &lt;em&gt;can&apos;t&lt;/em&gt; read the view you&apos;re about to create, then &lt;tt&gt;createCollection&lt;/tt&gt; suffices.&lt;/li&gt;
		&lt;li&gt;If you &lt;em&gt;can&lt;/em&gt; read the view you&apos;re creating, then you must be able to run an aggregation on the view&apos;s &quot;viewOn&quot; namespace with the specified view &quot;pipeline&quot;.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;&lt;b&gt;collMod&lt;/b&gt;:
	&lt;ol&gt;
		&lt;li&gt;You must specify both &quot;viewOn&quot; and &quot;pipeline&quot; when modifying a view; having only one or the other doesn&apos;t suffice (see &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-27194&quot; title=&quot;Views should require both &amp;quot;viewOn&amp;quot; and &amp;quot;pipeline&amp;quot; to be specified if modifying view when auth is enabled&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-27194&quot;&gt;&lt;del&gt;SERVER-27194&lt;/del&gt;&lt;/a&gt;). (Note that this restriction only applies when auth is enabled.)&lt;/li&gt;
		&lt;li&gt;You must have the &lt;tt&gt;collMod&lt;/tt&gt; action to modify a view. Like &lt;tt&gt;create&lt;/tt&gt;, there is another rule depending on whether or not you can read the view:
		&lt;ul&gt;
			&lt;li&gt;If you &lt;em&gt;can&apos;t&lt;/em&gt; read the view you&apos;re modifying, then &lt;tt&gt;collMod&lt;/tt&gt; suffices.&lt;/li&gt;
			&lt;li&gt;If you &lt;em&gt;can&lt;/em&gt; read the view you&apos;re modifying, then you must be able to run an aggregation on the view&apos;s &quot;viewOn&quot; namespace with the specified view &quot;pipeline&quot;.&lt;/li&gt;
		&lt;/ul&gt;
		&lt;/li&gt;
	&lt;/ol&gt;
	&lt;/li&gt;
	&lt;li&gt;&lt;b&gt;all other query operations&lt;/b&gt; (&lt;b&gt;find&lt;/b&gt;/&lt;b&gt;count&lt;/b&gt;/&lt;b&gt;distinct&lt;/b&gt;/&lt;b&gt;aggregate&lt;/b&gt;): the rules for views are exactly the same for collections. The only noteworthy thing is that a user with the &lt;tt&gt;find&lt;/tt&gt; action on a view can read that view, even if they don&apos;t have &lt;tt&gt;find&lt;/tt&gt; on the view&apos;s underlying namespace. (I suppose this is the whole point of using views in the first place &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.mongodb.org/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; )&lt;/li&gt;
&lt;/ul&gt;


&lt;hr /&gt;

&lt;h5&gt;&lt;a name=&quot;OriginalEngineeringTicketDescription&quot;&gt;&lt;/a&gt;Original Engineering Ticket Description&lt;/h5&gt;
&lt;p&gt;Access control on views should work exactly as it does for collections.&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;If you can(not) create a collection, then you should (not) be able to create a view&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;There are also some interesting security concerns to consider with regard to access control on a view&apos;s backing namespace:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;User can read a view when not authorized to read the view&apos;s backing namespace(s)&lt;/li&gt;
	&lt;li&gt;If user is (not) authorized to read a collection, they can(not) read a view they create on top of it&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;However, this ticket *&lt;b&gt;does not&lt;/b&gt;* cover authorization checks when calling &lt;tt&gt;getMore&lt;/tt&gt; on a cursor returned by a view. (This means that a user authorized to read a view will still get an authorization error when calling &lt;tt&gt;getMore&lt;/tt&gt; on that cursor.) The work for that will be tracked in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-24771&quot; title=&quot;Make queries on views return a cursor on that view&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-24771&quot;&gt;&lt;del&gt;SERVER-24771&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;</description>
                <environment></environment>
        <key id="335981">DOCS-9473</key>
            <summary>Document behavior of views when auth is enabled</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="kay.kim@mongodb.com">Kay Kim</assignee>
                                    <reporter username="emily.hall">Emily Hall</reporter>
                        <labels>
                            <label>read-only-views</label>
                    </labels>
                <created>Fri, 2 Dec 2016 18:19:38 +0000</created>
                <updated>Wed, 5 Feb 2020 21:34:42 +0000</updated>
                            <resolved>Mon, 7 Aug 2017 19:23:33 +0000</resolved>
                                                    <fixVersion>3.4.0</fixVersion>
                                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="1642252" author="xgen-internal-githook" created="Mon, 7 Aug 2017 19:04:47 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;kay-kim&apos;, &apos;email&apos;: &apos;kay.kim@10gen.com&apos;, &apos;name&apos;: &apos;kay&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-9473&quot; title=&quot;Document behavior of views when auth is enabled&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-9473&quot;&gt;&lt;del&gt;DOCS-9473&lt;/del&gt;&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-8900&quot; title=&quot;Document that the validate command fails on views&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-8900&quot;&gt;&lt;del&gt;DOCS-8900&lt;/del&gt;&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-9446&quot; title=&quot;Document which commands work (or don&amp;#39;t work) with views&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-9446&quot;&gt;&lt;del&gt;DOCS-9446&lt;/del&gt;&lt;/a&gt; views&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/docs/commit/9918ed56ea4b8a13df20ec12c951150578b9c436&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/docs/commit/9918ed56ea4b8a13df20ec12c951150578b9c436&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1642249" author="xgen-internal-githook" created="Mon, 7 Aug 2017 19:04:41 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;kay&apos;, &apos;username&apos;: &apos;kay-kim&apos;, &apos;email&apos;: &apos;kay.kim@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-9473&quot; title=&quot;Document behavior of views when auth is enabled&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-9473&quot;&gt;&lt;del&gt;DOCS-9473&lt;/del&gt;&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-8900&quot; title=&quot;Document that the validate command fails on views&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-8900&quot;&gt;&lt;del&gt;DOCS-8900&lt;/del&gt;&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-9446&quot; title=&quot;Document which commands work (or don&amp;#39;t work) with views&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-9446&quot;&gt;&lt;del&gt;DOCS-9446&lt;/del&gt;&lt;/a&gt; views&lt;br/&gt;
Branch: v3.4&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/docs/commit/85dec7eba6b2171dc0765fbfbdefdb2c4c15a910&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/docs/commit/85dec7eba6b2171dc0765fbfbdefdb2c4c15a910&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1451584" author="kyle.suarez" created="Wed, 7 Dec 2016 18:56:42 +0000"  >&lt;p&gt;I don&apos;t think I&apos;ve seen any documentation regarding views and authorization, so I&apos;ve modified the ticket to describe what I think we should document. (If I&apos;m wrong, and there does exist documentation, please let me know.) Feel free to split this up into sub-tickets, since there are several commands affected.&lt;/p&gt;

&lt;p&gt;I&apos;ve also linked this ticket to both &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-24724&quot; title=&quot;Views works with authorization&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-24724&quot;&gt;&lt;del&gt;SERVER-24724&lt;/del&gt;&lt;/a&gt; and &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-27194&quot; title=&quot;Views should require both &amp;quot;viewOn&amp;quot; and &amp;quot;pipeline&amp;quot; to be specified if modifying view when auth is enabled&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-27194&quot;&gt;&lt;del&gt;SERVER-27194&lt;/del&gt;&lt;/a&gt;, since they can both be done at the same time.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10320">
                    <name>Documented</name>
                                            <outwardlinks description="documents">
                                        <issuelink>
            <issuekey id="334634">SERVER-27194</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="295867">SERVER-24724</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 7 Dec 2016 18:56:42 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        6 years, 27 weeks, 2 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>DOCS-8728</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>jess.mokrzecki@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            6 years, 27 weeks, 2 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>emily.hall</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>kay.kim@mongodb.com</customfieldvalue>
            <customfieldvalue>kyle.suarez@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrl8b3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hssh53:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1324">KANBAN BUCKET</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrzcjr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>