commit 2a0eb9e16f97de0c74104e855b0c43533964251d
author hulk <hulk.website@gmail.com> Fri Sep 19 14:16:34 2025 +0800
committer GitHub <noreply@github.com> Fri Sep 19 14:16:34 2025 +0800
tree 088c57fcc9d0fa420248a1238324c6209c0530f2
parent 210abd6b2ce1d8c07d110873376698e4f6d034e4

fix(command): RESET should be only allowed to run with admin role (#3191)

src/commands/cmd_server.cc

diff --git a/src/commands/cmd_server.cc b/src/commands/cmd_server.cc
index fc10803..e90487d 100644
--- a/src/commands/cmd_server.cc
+++ b/src/commands/cmd_server.cc
@@ -1586,7 +1586,7 @@
     MakeCmdAttr<CommandSlaveOf>("replicaof", 3, "read-only exclusive no-script admin", NO_KEY),
     MakeCmdAttr<CommandStats>("stats", 1, "read-only", NO_KEY),
     MakeCmdAttr<CommandRdb>("rdb", -3, "write exclusive admin", NO_KEY),
-    MakeCmdAttr<CommandReset>("reset", 1, "ok-loading bypass-multi no-script", NO_KEY),
+    MakeCmdAttr<CommandReset>("reset", 1, "ok-loading bypass-multi no-script admin", NO_KEY),
     MakeCmdAttr<CommandApplyBatch>("applybatch", -2, "write no-multi", NO_KEY),
     MakeCmdAttr<CommandDump>("dump", 2, "read-only", 1, 1, 1),
     MakeCmdAttr<CommandPollUpdates>("pollupdates", -2, "read-only admin", NO_KEY),

tests/gocase/unit/reset/reset_test.go

diff --git a/tests/gocase/unit/reset/reset_test.go b/tests/gocase/unit/reset/reset_test.go
index 9d16edb..af8ab73 100644
--- a/tests/gocase/unit/reset/reset_test.go
+++ b/tests/gocase/unit/reset/reset_test.go
@@ -25,6 +25,7 @@
 	"testing"
 
 	"github.com/apache/kvrocks/tests/gocase/util"
+	"github.com/redis/go-redis/v9"
 	"github.com/stretchr/testify/require"
 )
 
@@ -65,3 +66,30 @@
 		require.Equal(t, rdb.Do(ctx, "subscribe", "chan2").Val(), []interface{}{"subscribe", "chan2", (int64)(1)})
 	})
 }
+
+func TestResetAdminOnly(t *testing.T) {
+	srv := util.StartServer(t, map[string]string{
+		"requirepass": "admin",
+	})
+	defer srv.Close()
+
+	ctx := context.Background()
+
+	t.Run("RESET command with namespace token should be forbidden", func(t *testing.T) {
+		adminClient := srv.NewClientWithOption(&redis.Options{
+			Password: "admin",
+		})
+		defer func() { require.NoError(t, adminClient.Close()) }()
+
+		require.NoError(t, adminClient.Do(ctx, "NAMESPACE", "ADD", "test_ns", "test_token").Err())
+		require.NoError(t, adminClient.Do(ctx, "RESET").Err())
+
+		tokenClient := srv.NewClientWithOption(&redis.Options{
+			Password: "test_token",
+		})
+		defer func() { require.NoError(t, tokenClient.Close()) }()
+
+		r := tokenClient.Do(ctx, "RESET")
+		require.ErrorContains(t, r.Err(), "admin permission required to perform the command")
+	})
+}