Skip to content

fix: prevent $out and $merge stages when create/update/delete operations are disabled MCP-196 #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 11, 2025
Merged

fix: prevent $out and $merge stages when create/update/delete operations are disabled MCP-196 #545

merged 1 commit into from
Sep 11, 2025

Conversation

nirinchev
Copy link
Collaborator

Proposed changes

This expands on the earlier validation to also include disabled tools in the check so that users who don't run the server in readonly mode but have explicitly disabled create, update, or delete operations do not accidentally run aggregations with $out or $merge stages.

@nirinchev nirinchev requested a review from a team as a code owner September 11, 2025 11:24
@Copilot Copilot AI review requested due to automatic review settings September 11, 2025 11:24
Copilot
Copilot AI reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR prevents MongoDB $out and $merge aggregation stages when individual write operations (create, update, delete) are disabled, expanding beyond the existing readonly mode check. This ensures users who selectively disable write operations cannot accidentally run aggregations that would perform writes.

  • Expanded validation logic to check for disabled write operations in addition to readonly mode
  • Added comprehensive test coverage for all three disabled operation types with both $out and $merge stages
  • Updated error messaging to reflect the new validation scenarios

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/tools/mongodb/read/aggregate.ts Enhanced validation to prevent write stages when individual operations are disabled
tests/integration/tools/mongodb/read/aggregate.test.ts Added test coverage for disabled operations validation with cleanup

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@nirinchev nirinchev merged commit ce02189 into main Sep 11, 2025
22 of 24 checks passed
@nirinchev nirinchev deleted the ni/aggregate-validations branch September 11, 2025 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@himanshusinghs himanshusinghs himanshusinghs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nirinchev @himanshusinghs