Kitter
diff --git a/‎arangod/RestHandler/RestUsersHandler.cpp
Lines changed: 2 additions & 2 deletions b/‎arangod/RestHandler/RestUsersHandler.cpp
Lines changed: 2 additions & 2 deletions
diff --git a/‎arangod/VocBase/AuthInfo.cpp
Lines changed: 38 additions & 3 deletions b/‎arangod/VocBase/AuthInfo.cpp
Lines changed: 38 additions & 3 deletions
diff --git a/‎arangod/VocBase/AuthInfo.h
Lines changed: 10 additions & 0 deletions b/‎arangod/VocBase/AuthInfo.h
Lines changed: 10 additions & 0 deletions
@@ -211,14 +211,14 @@ void RestUsersHandler::generateDatabaseResult(AuthInfo* authInfo,
                 data.add(c->name(), VPackValue("undefined"));
               }
             });
-        lvl = authInfo->canUseCollection(user, vocbase->name(), "*");
+        lvl = authInfo->canUseCollectionNoLock(user, vocbase->name(), "*");
         data.add("*", VPackValue(convertFromAuthLevel(lvl)));
       } else if (lvl != AuthLevel::NONE) {  // hide db's without access
         data.add(vocbase->name(), VPackValue(str));
       }
     });
     if (full) {
-      AuthLevel lvl = authInfo->canUseDatabase(user, "*");
+      AuthLevel lvl = authInfo->canUseDatabaseNoLock(user, "*");
       data("*", VPackValue(VPackValueType::Object))(
           "permission", VPackValue(convertFromAuthLevel(lvl)))();
     }
 
@@ -208,8 +208,9 @@ static VPackBuilder QueryUser(aql::QueryRegistry* queryRegistry,
   if (doc.isExternal()) {
     doc = doc.resolveExternals();
   }
-
-  return VPackBuilder(doc);
+  VPackBuilder result;
+  result.add(doc);
+  return result;
 }
 
 static void ConvertLegacyFormat(VPackSlice doc, VPackBuilder& result) {
@@ -680,6 +681,7 @@ Result AuthInfo::removeAllUsers() {
   Result res;
 
   {
+    MUTEX_LOCKER(locker, _loadFromDBLock);
     WRITE_LOCKER(guard, _authInfoLock);
 
     for (auto const& pair : _authInfo) {
@@ -698,7 +700,6 @@ Result AuthInfo::removeAllUsers() {
 
     // do not get into race conditions with loadFromDB
     {
-      MUTEX_LOCKER(locker, _loadFromDBLock);
       _authInfo.clear();
       _authBasicCache.clear();
       _outdated = true;
@@ -912,6 +913,17 @@ AuthLevel AuthInfo::canUseDatabase(std::string const& username,
   return level;
 }
 
+AuthLevel AuthInfo::canUseDatabaseNoLock(std::string const& username,
+                                         std::string const& dbname) {
+  AuthLevel level = configuredDatabaseAuthLevelInternal(username, dbname, 0);
+  static_assert(AuthLevel::RO < AuthLevel::RW, "ro < rw");
+  if (level > AuthLevel::RO && !ServerState::writeOpsEnabled()) {
+    return AuthLevel::RO;
+  }
+  return level;
+}
+
+
 // internal method called by configuredCollectionAuthLevel
 // asserts that collection name is non-empty and already translated
 // from collection id to name
@@ -986,6 +998,29 @@ AuthLevel AuthInfo::canUseCollection(std::string const& username,
   return level;
 }
 
+AuthLevel AuthInfo::canUseCollectionNoLock(std::string const& username,
+                                           std::string const& dbname,
+                                           std::string const& coll) {
+  if (coll.empty()) {
+    // no collection name given
+    return AuthLevel::NONE;
+  }
+
+  AuthLevel level;
+  if (coll[0] >= '0' && coll[0] <= '9') {
+    std::string tmpColl = DatabaseFeature::DATABASE->translateCollectionName(dbname, coll);
+    level = configuredCollectionAuthLevelInternal(username, dbname, tmpColl, 0);
+  } else {
+    level = configuredCollectionAuthLevelInternal(username, dbname, coll, 0);
+  }
+
+  static_assert(AuthLevel::RO < AuthLevel::RW, "ro < rw");
+  if (level > AuthLevel::RO && !ServerState::writeOpsEnabled()) {
+    return AuthLevel::RO;
+  }
+  return level;
+}
+
 
 
 // public called from HttpCommTask.cpp and VstCommTask.cpp
 
@@ -126,6 +126,16 @@ class AuthInfo {
                              std::string const& dbname,
                              std::string const& coll);
 
+  // No Lock variants of the above to be used in callbacks
+  // Use with CARE! You need to make sure that the lock
+  // is held from outside.
+  AuthLevel canUseDatabaseNoLock(std::string const& username,
+                                 std::string const& dbname);
+  AuthLevel canUseCollectionNoLock(std::string const& username,
+                                   std::string const& dbname,
+                                   std::string const& coll);
+
+
   void setJwtSecret(std::string const&);
   std::string jwtSecret();
   std::string generateJwt(VPackBuilder const&);
Original file line number	Diff line number	Diff line change
`@@ -211,14 +211,14 @@ void RestUsersHandler::generateDatabaseResult(AuthInfo* authInfo,`
`211`	`211`	`data.add(c->name(), VPackValue("undefined"));`
`212`	`212`	`}`
`213`	`213`	`});`
`214`		`- lvl = authInfo->canUseCollection(user, vocbase->name(), "*");`
	`214`	`+ lvl = authInfo->canUseCollectionNoLock(user, vocbase->name(), "*");`
`215`	`215`	`data.add("*", VPackValue(convertFromAuthLevel(lvl)));`
`216`	`216`	`} else if (lvl != AuthLevel::NONE) { // hide db's without access`
`217`	`217`	`data.add(vocbase->name(), VPackValue(str));`
`218`	`218`	`}`
`219`	`219`	`});`
`220`	`220`	`if (full) {`
`221`		`- AuthLevel lvl = authInfo->canUseDatabase(user, "*");`
	`221`	`+ AuthLevel lvl = authInfo->canUseDatabaseNoLock(user, "*");`
`222`	`222`	`data("*", VPackValue(VPackValueType::Object))(`
`223`	`223`	`"permission", VPackValue(convertFromAuthLevel(lvl)))();`
`224`	`224`	`}`