I've started my MongoDB server with the --noscripting option:
mongod --dbpath C:\MongoData --noscripting
However, I can still load JavaScript files and execute the code in them:
> load('/Users/d.banks/Documents/mongo-rocks/hello-world.js')
true
> Hello('Dave')
Hello Dave!
I assume that the script is running because it's client-side? If that's the case, what determines if a script is client or server side? If not, why is the script running?
This ...
load('/Users/d.banks/Documents/mongo-rocks/hello-world.js')
... is an example of client-side scripting. It is client-side because it runs in the client.
The startup option --noscripting disables server-side scripting i.e. Javascript which runs on the server. Examples of this include
$where: the $where is a JavaScript expression or function which is executed server-side$group: the $reduce, $keyf and finalize parameters are Javascript functions which are executed server-side$mapreduce: the map and reduce parameters are Javascript functions which are executed server-sideSo, in summary --noscripting disables server-side scripting, it has no effect on client-side scripting. Server-side scripta are those which execute on the server, with the three listed above being the prime examples.