Details
Description
Issue
As per my understanding only full admin users are allowed to manipulate _system scope. However, I am able to modify content of _system._query collection using Data writer role.
Following change was made to allow only read access to _system scope for bucket_full_access rbac role - https://review.couchbase.org/c/ns_server/+/174907. I guess similar change must be done for Data writer role as well.
Steps
These are the steps which I used to repro this issue -
- Create an rbac user named abcd having following roles -
Manage Scope Functions [*:*] , Data Writer [src_bucket:*:*] , Data Writer [metadata:*:*] , Data Reader [src_bucket:*:*] , Data Reader [metadata:*:*] , Data DCP Reader [src_bucket:*:*] , Data DCP Reader [metadata:*:*]
- Login as user abcd.
- Create an Eventing function which listens to changes at src_bucket._default._default collection and writes data to src_bucket._system._query collection.
- Load some data to src_bucket._default._default collection.
Observation
Write operations to _system scope succeed even though user has non full admin access.