SERVER-778 don't allow running write command with read lock

2024-11-30 09:06:21 +01:00 · 2010-05-11 10:05:34 -04:00 · 2010-05-11 10:05:34 -04:00 · a5e1865e28
commit a5e1865e28
parent 9b9be9a4ee
2 changed files with 11 additions and 12 deletions
--- a/db/dbcommands.cpp
+++ b/db/dbcommands.cpp
@ -1744,6 +1744,9 @@ namespace mongo {
            result.append( "errmsg" , "not master" );
            return false;
        }
+
+        if ( c->adminOnly() )
+            log( 2 ) << "command: " << cmdObj << endl;
        
        if ( c->locktype() == Command::NONE ){
            // we also trust that this won't crash
@ -1756,14 +1759,6 @@ namespace mongo {
     
        bool needWriteLock = c->locktype() == Command::WRITE;
        
-        if ( ! c->requiresAuth() && 
-             ( ai->isAuthorizedReads( dbname ) && 
-               ! ai->isAuthorized( dbname ) ) ){
-            // this means that they can read, but not write
-            // so only get a read lock
-            needWriteLock = false;
-        }
-        
        if ( ! needWriteLock ){
            assert( ! c->logTheOp() );
        }
@ -1771,9 +1766,6 @@ namespace mongo {
        mongolock lk( needWriteLock );
        Client::Context ctx( dbname , dbpath , &lk , c->requiresAuth() );
        
-        if ( c->adminOnly() )
-            log( 2 ) << "command: " << cmdObj << endl;
-        
        try {
            string errmsg;
            if ( ! c->run(dbname, cmdObj, errmsg, result, fromRepl ) ){
--- a/db/dbeval.cpp
+++ b/db/dbeval.cpp
@ -119,11 +119,18 @@ namespace mongo {
        virtual bool requiresAuth() {
            return false;
        }
-        virtual LockType locktype() const { return WRITE; }
+        virtual LockType locktype() const { return NONE; }
        CmdEval() : Command("eval", false, "$eval") { }
        bool run(const string& dbname , BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
+            
            AuthenticationInfo *ai = cc().getAuthenticationInfo();
            uassert( 12598 , "$eval reads unauthorized", ai->isAuthorizedReads(dbname.c_str()) );
+            
+            // write security will be enforced in DBDirectClient
+            mongolock lk( ai->isAuthorized( dbname.c_str() ) );
+            Client::Context ctx( dbname );
+            
+
            return dbEval(dbname.c_str(), cmdObj, result, errmsg);
        }
    } cmdeval;