<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:31:05 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-13239] Make eval permission checking more granular</title>
                <link>https://jira.mongodb.org/browse/SERVER-13239</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Currently the eval command require all available permissions in order to run. It would be better to only require permissions for the actual operations that is performed by the enclosed script.&lt;/p&gt;

&lt;p&gt;This is currently prevented by the way we parse and execute Javascript so it is a non-trivial problem to solve.&lt;/p&gt;</description>
                <environment></environment>
        <key id="121900">SERVER-13239</key>
            <summary>Make eval permission checking more granular</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="backlog-server-platform">DO NOT USE - Backlog - Platform Team</assignee>
                                    <reporter username="andreas.nilsson">Andreas Nilsson</reporter>
                        <labels>
                    </labels>
                <created>Mon, 17 Mar 2014 21:35:02 +0000</created>
                <updated>Mon, 10 Sep 2018 17:42:49 +0000</updated>
                            <resolved>Mon, 10 Sep 2018 17:42:49 +0000</resolved>
                                    <version>2.6.0-rc1</version>
                                                    <component>Security</component>
                                        <votes>1</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="1998289" author="sara.williamson" created="Mon, 10 Sep 2018 17:42:49 +0000"  >&lt;p&gt;db.eval has been removed.&lt;/p&gt;</comment>
                            <comment id="524934" author="andreas.nilsson@10gen.com" created="Thu, 27 Mar 2014 18:34:47 +0000"  >&lt;p&gt;Ok I see. I agree with the need for a more granular access control of eval. However this will not be released within the near future so finding a way around it, or not using eval is probably the better choice. I have moved the ticket to &quot;Planned but not scheduled&quot;.&lt;/p&gt;

&lt;p&gt;If you need more practical advice regarding alternatives you can either post a topic to &lt;a href=&quot;https://groups.google.com/forum/#!forum/mongodb-user&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://groups.google.com/forum/#!forum/mongodb-user&lt;/a&gt; or file a support ticket.&lt;/p&gt;

&lt;p&gt;Andreas&lt;/p&gt;</comment>
                            <comment id="524543" author="hlidobe" created="Thu, 27 Mar 2014 14:51:54 +0000"  >&lt;p&gt;We use MongoDB &quot;like MySQL&quot;, i.e. we have about 50 databases, one per client and obviously they don&apos;t have access to each others databases.&lt;/p&gt;

&lt;p&gt;Some maintenance operations are done through &quot;executed&quot; (meaning eval&apos;ed apparently) scripts via our CMS. Those scripts could be directly used with the CLI utility but that would mean installing the full suite on every servers. This could be solved that way.&lt;/p&gt;

&lt;p&gt;We also have a few operations that are much more easily performed through a javascript script than fetching records and manipulating them &quot;client&quot; side. We don&apos;t care much about the write-lock as we have a low write volume and the operation is quite fast. Our main problem here is going through 50+ sites to ensure everything still works fine after rewriting the relevant parts.&lt;/p&gt;</comment>
                            <comment id="524456" author="andreas.nilsson@10gen.com" created="Thu, 27 Mar 2014 13:59:29 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=hlidobe&quot; class=&quot;user-hover&quot; rel=&quot;hlidobe&quot;&gt;hlidobe&lt;/a&gt; can you elaborate on your use case a little bit and how you are using eval. Maybe there is a different way forward than having to downgrade to 2.2.&lt;/p&gt;

&lt;p&gt;Thank you,&lt;br/&gt;
Andreas&lt;/p&gt;</comment>
                            <comment id="524101" author="hlidobe" created="Wed, 26 Mar 2014 21:59:27 +0000"  >&lt;p&gt;This is a huge issue for us. We had to downgrade a new server to 2.2 to overcome this &quot;feature&quot;. Our use case imply many small databases with restricted access by clients and we obviously can&apos;t grant everyone access to all databases!&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 26 Mar 2014 21:59:27 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        5 years, 22 weeks, 2 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>sara.williamson@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            5 years, 22 weeks, 2 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>backlog-server-platform</customfieldvalue>
            <customfieldvalue>hlidobe</customfieldvalue>
            <customfieldvalue>sara.williamson@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrlyqf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr9gtz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>6468</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsh29r:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>