Privilege AuthorizationSession::_modifyPrivilegeForSpecialCases(const Privilege& privilege) {
ActionSet newActions;
newActions.addAllActionsFromSet(privilege.getActions());
NamespaceString ns( privilege.getResource() );
if (ns.coll() == "system.users") {
if (newActions.contains(ActionType::insert) ||
newActions.contains(ActionType::update) ||
newActions.contains(ActionType::remove)) {
// End users can't modify system.users directly, only the system can.
newActions.addAction(ActionType::userAdminV1);
} else {
newActions.addAction(ActionType::userAdmin);
}
newActions.removeAction(ActionType::find);
newActions.removeAction(ActionType::insert);
newActions.removeAction(ActionType::update);
newActions.removeAction(ActionType::remove);
} else if (ns.coll() == "system.profile") {
newActions.removeAction(ActionType::find);
newActions.addAction(ActionType::profileRead);
} else if (ns.coll() == "system.indexes" && newActions.contains(ActionType::find)) {
newActions.removeAction(ActionType::find);
newActions.addAction(ActionType::indexRead);
}
return Privilege(privilege.getResource(), newActions);
}
Privilege AuthorizationManager::_modifyPrivilegeForSpecialCases(const Privilege& privilege) {
ActionSet newActions;
newActions.addAllActionsFromSet(privilege.getActions());
std::string collectionName = NamespaceString(privilege.getResource()).coll;
if (collectionName == "system.users") {
newActions.removeAction(ActionType::find);
newActions.removeAction(ActionType::insert);
newActions.removeAction(ActionType::update);
newActions.removeAction(ActionType::remove);
newActions.addAction(ActionType::userAdmin);
} else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) {
newActions.removeAction(ActionType::find);
newActions.addAction(ActionType::profileRead);
}
return Privilege(privilege.getResource(), newActions);
}
