<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:02:49 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-3345] Read only user - able to create and update collection using map reduce</title>
                <link>https://jira.mongodb.org/browse/SERVER-3345</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Hi- &lt;/p&gt;

&lt;p&gt;I am able to update a collection created by a read write user using a read only user by invoking map reduce. &lt;/p&gt;

&lt;p&gt;Following is the test scenario. &lt;/p&gt;

&lt;p&gt;Wed Jun 29 00:36:08 &lt;span class=&quot;error&quot;&gt;&amp;#91;initandlisten&amp;#93;&lt;/span&gt; git version: a429cd4f535b2499cc4130b06ff7c26f41c00f04&lt;/p&gt;


&lt;p&gt;===read write user created an out collection in m/r ===&lt;/p&gt;

&lt;p&gt;MongoDB shell version: 1.8.1&lt;br/&gt;
connecting to: test&lt;br/&gt;
&amp;gt; use gp&lt;br/&gt;
switched to db gp&lt;br/&gt;
&amp;gt; db.auth(&quot;gp&quot;,&quot;gp&quot;);&lt;br/&gt;
1&lt;br/&gt;
&amp;gt; show collections&lt;br/&gt;
myColl&lt;br/&gt;
mytest&lt;br/&gt;
system.indexes&lt;br/&gt;
system.profile&lt;br/&gt;
system.users&lt;br/&gt;
&amp;gt; db.myColl.find();&lt;br/&gt;
{ &quot;_id&quot; : 1, &quot;value&quot; : &lt;/p&gt;
{ &quot;count&quot; : 2 }
&lt;p&gt; }&lt;br/&gt;
&amp;gt; m&lt;br/&gt;
Wed Jun 29 02:14:43 ReferenceError: m is not defined (shell):1&lt;br/&gt;
&amp;gt; db.myColl.drop();&lt;br/&gt;
true&lt;br/&gt;
&amp;gt; m=function () {&lt;br/&gt;
...     emit(this.x, &lt;/p&gt;
{count:1}
&lt;p&gt;);&lt;br/&gt;
... }&lt;br/&gt;
function () {&lt;br/&gt;
    emit(this.x, &lt;/p&gt;
{count:1}
&lt;p&gt;);&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; r=function (key, values) {&lt;br/&gt;
...     var total = 0;&lt;br/&gt;
...     for (var i = 0; i &amp;lt; values.length; i++) &lt;/p&gt;
{
...         total += values[i].count;
...     }&lt;br/&gt;
...     return {count:total};&lt;br/&gt;
... }&lt;br/&gt;
function (key, values) {&lt;br/&gt;
    var total = 0;&lt;br/&gt;
    for (var i = 0; i &amp;lt; values.length; i++) {
        total += values[i].count;
    }&lt;br/&gt;
    return {count:total};&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; res=db.mytest.mapReduce(m,r,{out:{reduce:&quot;myColl&quot;}});&lt;br/&gt;
{&lt;br/&gt;
	&quot;result&quot; : &quot;myColl&quot;,&lt;br/&gt;
	&quot;timeMillis&quot; : 43,&lt;br/&gt;
	&quot;counts&quot; : {
		&quot;input&quot; : 1,
		&quot;emit&quot; : 1,
		&quot;output&quot; : 1
	},&lt;br/&gt;
	&quot;ok&quot; : 1,&lt;br/&gt;
}&lt;br/&gt;
&lt;br/&gt;
=======&lt;br/&gt;
Read only user able to update the collection using map reduce. &lt;br/&gt;
MongoDB shell version: 1.8.1&lt;br/&gt;
connecting to: test&lt;br/&gt;
&amp;gt; use gp&lt;br/&gt;
switched to db gp&lt;br/&gt;
&amp;gt; db.auth(&quot;gpr&quot;,&quot;gpr&quot;);&lt;br/&gt;
1&lt;br/&gt;
&amp;gt; m=function () {&lt;br/&gt;
...     emit(this.x, {count:1});&lt;br/&gt;
... }&lt;br/&gt;
function () {&lt;br/&gt;
    emit(this.x, {count:1});&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; function (key, values) {&lt;br/&gt;
...     var total = 0;&lt;br/&gt;
...     for (var i = 0; i &amp;lt; values.length; i++) {...         total += values[i].count;...     }
&lt;p&gt;...     return &lt;/p&gt;
{count:total}
&lt;p&gt;;&lt;br/&gt;
... }&lt;br/&gt;
function (key, values) {&lt;br/&gt;
    var total = 0;&lt;br/&gt;
    for (var i = 0; i &amp;lt; values.length; i++) &lt;/p&gt;
{
        total += values[i].count;
    }&lt;br/&gt;
    return {count:total};&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; res=db.mytest.mapReduce(m,r,{out:{reduce:&quot;myColl&quot;}});&lt;br/&gt;
Wed Jun 29 02:18:21 ReferenceError: r is not defined (shell):1&lt;br/&gt;
&amp;gt; r=function (key, values) {&lt;br/&gt;
...     var total = 0;&lt;br/&gt;
...     for (var i = 0; i &amp;lt; values.length; i++) {
...         total += values[i].count;
...     }&lt;br/&gt;
...     return {count:total};&lt;br/&gt;
... }&lt;br/&gt;
function (key, values) {&lt;br/&gt;
    var total = 0;&lt;br/&gt;
    for (var i = 0; i &amp;lt; values.length; i++) {        total += values[i].count;    }
&lt;p&gt;    return &lt;/p&gt;
{count:total}
&lt;p&gt;;&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; res=db.mytest.mapReduce(m,r,{out:{reduce:&quot;myColl&quot;}});&lt;br/&gt;
{&lt;br/&gt;
	&quot;result&quot; : &quot;myColl&quot;,&lt;br/&gt;
	&quot;timeMillis&quot; : 42,&lt;br/&gt;
	&quot;counts&quot; : &lt;/p&gt;
{
		&quot;input&quot; : 1,
		&quot;emit&quot; : 1,
		&quot;output&quot; : 1
	}
&lt;p&gt;,&lt;br/&gt;
	&quot;ok&quot; : 1,&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; db.myColl.find();                                    &lt;br/&gt;
{ &quot;_id&quot; : 1, &quot;value&quot; : &lt;/p&gt;
{ &quot;count&quot; : 2 }
&lt;p&gt; }&lt;br/&gt;
&amp;gt; &lt;br/&gt;
&amp;gt; res=db.mytest.mapReduce(m,r,{out:{reduce:&quot;myColl&quot;}});&lt;br/&gt;
{&lt;br/&gt;
	&quot;result&quot; : &quot;myColl&quot;,&lt;br/&gt;
	&quot;timeMillis&quot; : 15,&lt;br/&gt;
	&quot;counts&quot; : &lt;/p&gt;
{
		&quot;input&quot; : 1,
		&quot;emit&quot; : 1,
		&quot;output&quot; : 1
	}
&lt;p&gt;,&lt;br/&gt;
	&quot;ok&quot; : 1,&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; db.myColl.find();                                    &lt;br/&gt;
{ &quot;_id&quot; : 1, &quot;value&quot; : &lt;/p&gt;
{ &quot;count&quot; : 3 }
&lt;p&gt; }&lt;br/&gt;
&amp;gt; &lt;br/&gt;
=====&lt;/p&gt;


&lt;p&gt;&amp;gt; db.system.users.find();&lt;/p&gt;
{ &quot;_id&quot; : ObjectId(&quot;4e0a2530e1c6ac893f943018&quot;), &quot;user&quot; : &quot;gpr&quot;, &quot;readOnly&quot; : true, &quot;pwd&quot; : &quot;6653a4201479409166809ecdd8abaadf&quot; }
{ &quot;_id&quot; : ObjectId(&quot;4e0a2560e1c6ac893f943019&quot;), &quot;user&quot; : &quot;gp&quot;, &quot;readOnly&quot; : false, &quot;pwd&quot; : &quot;2e42611f30c3155c7f8de180b0e855ee&quot; }
&lt;p&gt;&amp;gt; &lt;/p&gt;




</description>
                <environment>mac os x</environment>
        <key id="18802">SERVER-3345</key>
            <summary>Read only user - able to create and update collection using map reduce</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="tonyh">Tony Hannan</assignee>
                                    <reporter username="ganesan_pandurangan">ganesan pandurangan</reporter>
                        <labels>
                    </labels>
                <created>Tue, 28 Jun 2011 20:56:18 +0000</created>
                <updated>Tue, 12 Jul 2016 00:18:47 +0000</updated>
                            <resolved>Tue, 25 Oct 2011 14:54:32 +0000</resolved>
                                    <version>1.8.1</version>
                                    <fixVersion>2.1.0</fixVersion>
                                    <component>MapReduce</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="62602" author="auto" created="Tue, 25 Oct 2011 20:55:31 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;login&apos;: u&apos;TonyGen&apos;, u&apos;name&apos;: u&apos;Tony Hannan&apos;, u&apos;email&apos;: u&apos;tony@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-3345&quot; title=&quot;Read only user - able to create and update collection using map reduce&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-3345&quot;&gt;&lt;del&gt;SERVER-3345&lt;/del&gt;&lt;/a&gt;: Return nice error message when user not authorized to output map-reduce to collection&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/1f7b6cd5383ff472d522ac6df8540f04c80817cd&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/1f7b6cd5383ff472d522ac6df8540f04c80817cd&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="62581" author="auto" created="Tue, 25 Oct 2011 19:02:01 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;login&apos;: u&apos;TonyGen&apos;, u&apos;name&apos;: u&apos;Tony Hannan&apos;, u&apos;email&apos;: u&apos;tony@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-3345&quot; title=&quot;Read only user - able to create and update collection using map reduce&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-3345&quot;&gt;&lt;del&gt;SERVER-3345&lt;/del&gt;&lt;/a&gt;: Read-only user when --auth enable can only do inline mapReduce because other modes write to an output collection&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/f0bc9f913c047bf852d19cdcfb7c76b599bfeb91&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/f0bc9f913c047bf852d19cdcfb7c76b599bfeb91&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="62499" author="auto" created="Tue, 25 Oct 2011 14:47:14 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;login&apos;: u&apos;TonyGen&apos;, u&apos;name&apos;: u&apos;Tony Hannan&apos;, u&apos;email&apos;: u&apos;tony@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-3345&quot; title=&quot;Read only user - able to create and update collection using map reduce&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-3345&quot;&gt;&lt;del&gt;SERVER-3345&lt;/del&gt;&lt;/a&gt;: adhere to coding style&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/4f7d9615530868f2aca24217b07707b4925b21c9&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/4f7d9615530868f2aca24217b07707b4925b21c9&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="57737" author="auto" created="Thu, 29 Sep 2011 23:45:35 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;login&apos;: u&apos;TonyGen&apos;, u&apos;name&apos;: u&apos;Tony Hannan&apos;, u&apos;email&apos;: u&apos;tony@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-3345&quot; title=&quot;Read only user - able to create and update collection using map reduce&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-3345&quot;&gt;&lt;del&gt;SERVER-3345&lt;/del&gt;&lt;/a&gt;: Read-only users can&apos;t output mapReduce to existing collection&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/8e75d326a62dd24ecb9b47e35264ff035c05da11&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/8e75d326a62dd24ecb9b47e35264ff035c05da11&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="57037" author="tonyh" created="Tue, 27 Sep 2011 18:11:30 +0000"  >&lt;p&gt;Bug still exists in 2.0. Read-only user can specify any collection in M/R out parameter, including one that already exists, and overwrite it.&lt;/p&gt;</comment>
                            <comment id="57025" author="eliot" created="Tue, 27 Sep 2011 17:36:11 +0000"  >&lt;p&gt;believe this was fixed in 2.0 - will verify&lt;/p&gt;</comment>
                            <comment id="57012" author="ganesan_pandurangan" created="Tue, 27 Sep 2011 17:12:35 +0000"  >&lt;p&gt;Hi &lt;/p&gt;

&lt;p&gt;Any updates on this ?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>7.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 27 Sep 2011 17:36:11 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        12 years, 17 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            12 years, 17 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>auto</customfieldvalue>
            <customfieldvalue>eliot</customfieldvalue>
            <customfieldvalue>ganesan_pandurangan</customfieldvalue>
            <customfieldvalue>tonyh</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrows7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrgcnr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8960</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|ht0dyn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>