Privilege AuthorizationSession::_modifyPrivilegeForSpecialCases(const Privilege& privilege) { ActionSet newActions; newActions.addAllActionsFromSet(privilege.getActions()); NamespaceString ns( privilege.getResource() ); if (ns.coll() == "system.users") { if (newActions.contains(ActionType::insert) || newActions.contains(ActionType::update) || newActions.contains(ActionType::remove)) { // End users can't modify system.users directly, only the system can. newActions.addAction(ActionType::userAdminV1); } else { newActions.addAction(ActionType::userAdmin); } newActions.removeAction(ActionType::find); newActions.removeAction(ActionType::insert); newActions.removeAction(ActionType::update); newActions.removeAction(ActionType::remove); } else if (ns.coll() == "system.profile") { newActions.removeAction(ActionType::find); newActions.addAction(ActionType::profileRead); } else if (ns.coll() == "system.indexes" && newActions.contains(ActionType::find)) { newActions.removeAction(ActionType::find); newActions.addAction(ActionType::indexRead); } return Privilege(privilege.getResource(), newActions); }
Privilege AuthorizationManager::_modifyPrivilegeForSpecialCases(const Privilege& privilege) { ActionSet newActions; newActions.addAllActionsFromSet(privilege.getActions()); std::string collectionName = NamespaceString(privilege.getResource()).coll; if (collectionName == "system.users") { newActions.removeAction(ActionType::find); newActions.removeAction(ActionType::insert); newActions.removeAction(ActionType::update); newActions.removeAction(ActionType::remove); newActions.addAction(ActionType::userAdmin); } else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) { newActions.removeAction(ActionType::find); newActions.addAction(ActionType::profileRead); } return Privilege(privilege.getResource(), newActions); }