<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:10:17 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-25804] The listCollections command does not take the user&apos;s permissions into account</title>
                <link>https://jira.mongodb.org/browse/SERVER-25804</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Some use cases have a need for &quot;views&quot; per user, and need to be able to grant access only to certain collections in a single database. This can be achieved easily using user-defined roles, with the correct permissions.&lt;/p&gt;

&lt;p&gt;However, when configuring roles this way, users can still use the &lt;tt&gt;listCollections&lt;/tt&gt; command, and list collections that they cannot read from.&lt;/p&gt;</description>
                <environment></environment>
        <key id="311430">SERVER-25804</key>
            <summary>The listCollections command does not take the user&apos;s permissions into account</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="sara.golemon@mongodb.com">Sara Golemon</assignee>
                                    <reporter username="charles.sarrazin@mongodb.com">Charles Sarrazin</reporter>
                        <labels>
                    </labels>
                <created>Wed, 24 Aug 2016 09:57:20 +0000</created>
                <updated>Mon, 23 Apr 2018 21:59:59 +0000</updated>
                            <resolved>Wed, 14 Mar 2018 21:15:29 +0000</resolved>
                                                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>16</watches>
                                                                                                                <comments>
                            <comment id="1834162" author="sara.golemon" created="Wed, 14 Mar 2018 21:14:58 +0000"  >&lt;p&gt;This functionality is currently being implemented in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-32942&quot; title=&quot;mongo shell: for users authorized to certain namespace, make discovery easy&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-32942&quot;&gt;&lt;del&gt;SERVER-32942&lt;/del&gt;&lt;/a&gt; with the following caveats:&lt;/p&gt;

&lt;p&gt;Users with the listCollections privilege on the database will continue to be able to list collections on that database, whether they have find permissions or not.  However, all users will be able to run &lt;/p&gt;
{listCollections:1}
&lt;p&gt; on any database, and if they don&apos;t have the listCollections permission, then they will receive a list of all collections for which they have the find privilege.&lt;/p&gt;

&lt;p&gt;So for the use-case described in this ticket, I would suggest revoking the listCollection privilege from these users in 4.0 and allowing the implicit discoverability via find to make the relevant collections appear.&lt;/p&gt;</comment>
                            <comment id="1370796" author="schwerin" created="Mon, 29 Aug 2016 17:00:50 +0000"  >&lt;p&gt;I don&apos;t love commands whose behavior changes based on your assigned privileges. We will always need a listCollections that operates like the current one, for administrators who lack read privilege on collections they otherwise manage.&lt;/p&gt;

&lt;p&gt;If we are going to try something like this, we should do it like wr did for curOp, where you pass a flag indicating the specific behavior. Even then, I don&apos;t know that it&apos;s fundamentally appropriate to be able to list collections just because you are authorized to find on them.&lt;/p&gt;</comment>
                            <comment id="1370720" author="spencer" created="Mon, 29 Aug 2016 16:05:33 +0000"  >&lt;p&gt;I wonder if what we should do is have listDatabases and listCollections always show dbs/collections a user has explicit privileges on.  ie any collections/dbs that the user could discover by running usersInfo with showPrivileges:true on themselves.  So if a user has explicitly been granted &apos;find&apos; on foo.bar, but doesn&apos;t have the listCollections privilege, they would see foo.bar when they ran listCollections.  But if the user had &apos;find&apos; on the &apos;foo&apos; database (and thus every implicitly on every collection under it) but didn&apos;t have listCollections, they wouldn&apos;t be able to see any collections in listCollections output.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="487905">SERVER-32942</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="309535">SERVER-25655</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="493431">SERVER-33148</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 25 Aug 2016 17:47:35 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        5 years, 48 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>backlog-server-pm</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            5 years, 48 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>schwerin@mongodb.com</customfieldvalue>
            <customfieldvalue>charles.sarrazin@mongodb.com</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
            <customfieldvalue>spencer@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrjxuv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr9kbr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsem2f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>