From 52d7736f73c78e70697c8b239eea4ecc24b9541b Mon Sep 17 00:00:00 2001
From: Mathias Stearn <mathias@10gen.com>
Date: Wed, 25 May 2011 15:55:20 -0400
Subject: [PATCH] renameCollection should only require auth on source and dest
 DBs, not admin SERVER-1061

Still technically an admin command and requires running against admin db
---
 db/cloner.cpp          |  5 +++--
 jstests/auth/rename.js | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 jstests/auth/rename.js

diff --git a/db/cloner.cpp b/db/cloner.cpp
index f076281de8f..aec79efda9a 100644
--- a/db/cloner.cpp
+++ b/db/cloner.cpp
@@ -613,6 +613,7 @@ namespace mongo {
         virtual bool adminOnly() const {
             return true;
         }
+        virtual bool requiresAuth() { return false; } // do our own auth
         virtual bool slaveOk() const {
             return false;
         }
@@ -634,7 +635,7 @@ namespace mongo {
             bool capped = false;
             long long size = 0;
             {
-                Client::Context ctx( source );
+                Client::Context ctx( source ); // auths against source
                 NamespaceDetails *nsd = nsdetails( source.c_str() );
                 uassert( 10026 ,  "source namespace does not exist", nsd );
                 capped = nsd->capped;
@@ -643,7 +644,7 @@ namespace mongo {
                         size += i.ext()->length;
             }
 
-            Client::Context ctx( target );
+            Client::Context ctx( target ); //auths against target
 
             if ( nsdetails( target.c_str() ) ) {
                 uassert( 10027 ,  "target namespace exists", cmdObj["dropTarget"].trueValue() );
diff --git a/jstests/auth/rename.js b/jstests/auth/rename.js
new file mode 100644
index 00000000000..424f2548c09
--- /dev/null
+++ b/jstests/auth/rename.js
@@ -0,0 +1,39 @@
+// test renameCollection with auth
+
+port = allocatePorts( 1 )[ 0 ];
+
+baseName = "jstests_rename_auth";
+m = startMongod( "--auth", "--port", port, "--dbpath", "/data/db/" + baseName, "--nohttpinterface" );
+
+db1 = m.getDB( baseName )
+db2 = m.getDB( baseName + '_other' )
+
+// auth not yet checked since we are on localhost
+db1.addUser( "foo", "bar" );
+db2.addUser( "bar", "foo" );
+
+printjson(db1.a.count());
+db1.a.save({});
+assert.eq(db1.a.count(), 1);
+
+//this makes auth required on localhost
+m.getDB('admin').addUser('not', 'used');
+
+// can't run same db w/o auth
+assert.commandFailed( db1.adminCommand({renameCollection:db1.a.getFullName(), to: db1.b.getFullName()}) );
+
+// can run same db with auth
+db1.auth('foo', 'bar')
+assert.commandWorked( db1.adminCommand({renameCollection:db1.a.getFullName(), to: db1.b.getFullName()}) );
+
+// can't run diff db w/o auth
+assert.commandFailed( db1.adminCommand({renameCollection:db1.b.getFullName(), to: db2.a.getFullName()}) );
+
+// can run diff db with auth
+db2.auth('bar', 'foo');
+assert.commandWorked(  db1.adminCommand({renameCollection:db1.b.getFullName(), to: db2.a.getFullName()}) );
+
+// test post conditions
+assert.eq(db1.a.count(), 0);
+assert.eq(db1.b.count(), 0);
+assert.eq(db2.a.count(), 1);