Actions
Bug #20111
open
API responds 200 when use without enough permissions tries to update it's own roles
Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Description
Easily reproducible with hammer:
> hammer -u test user info --login test
Id: 39
Login: test
...
Roles:
Viewer
Default role
User groups:
...
> hammer -d -u test user remove-role --login test --role 'Viewer'
...
[ INFO 2017-06-26T23:19:59 API] PUT /api/users/39
[DEBUG 2017-06-26T23:19:59 API] Params: {
"user" => {
"role_ids" => [
[0] "9"
]
}
}
[DEBUG 2017-06-26T23:19:59 API] Headers: {}
[DEBUG 2017-06-26T23:19:59 API] Using authenticator: HammerCLIForeman::Api::SessionAuthenticatorWrapper
[DEBUG 2017-06-26T23:19:59 API] Response: {
"firstname" => "Test",
"lastname" => "Test 2",
"mail" => "test@test.org",
"admin" => false,
"auth_source_id" => 1,
"auth_source_name" => "Internal",
"timezone" => "",
"locale" => nil,
"last_login_on" => "2017-06-26 21:09:52 UTC",
"created_at" => "2017-06-22 12:22:05 UTC",
"updated_at" => "2017-06-22 16:54:34 UTC",
"id" => 39,
"login" => "test",
"description" => "",
"ssh_keys" => [],
"default_location" => nil,
"locations" => [],
"default_organization" => nil,
"organizations" => [
[0] {
"id" => 1,
"name" => "Default Organization",
"title" => "Default Organization",
"description" => nil
}
],
"effective_admin" => false,
"cached_usergroups" => [],
"auth_source_internal" => {
"id" => 1,
"type" => "AuthSourceInternal",
"name" => "Internal"
},
"mail_notifications" => [],
"roles" => [
[0] {
"name" => "Viewer",
"id" => 23,
"description" => nil,
"origin" => "foreman"
},
[1] {
"name" => "Default role",
"id" => 9,
"description" => nil,
"origin" => "foreman"
}
],
"usergroups" => []
}
[DEBUG 2017-06-26T23:19:59 API] Response headers: {
:date => "Mon, 26 Jun 2017 21:19:59 GMT",
:server => "thin",
:foreman_version => "1.16.0-develop",
:foreman_api_version => "2",
:content_type => "application/json; charset=utf-8",
:apipie_checksum => "ef21fcc2e273f2d5bc8f97d6795b1a3f",
:etag => "W/\"c0d91350c1f38a8f9fb399c68a7a34af-gzip\"",
:cache_control => "max-age=0, private, must-revalidate",
:x_request_id => "24ed35f6-1f2a-4207-b586-55d7715e4851",
:x_runtime => "0.144379",
:content_security_policy => "default-src 'self'; child-src 'self'; connect-src 'self' ws: wss:; img-src 'self' data: *.gravatar.com; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'",
:strict_transport_security => "max-age=631152000; includeSubdomains",
:x_content_type_options => "nosniff",
:x_download_options => "noopen",
:x_frame_options => "sameorigin",
:x_permitted_cross_domain_policies => "none",
:x_xss_protection => "1; mode=block",
:set_cookie => [
[0] "request_method=PUT; path=/"
],
:via => "1.1 devel.tstrachota.usersys.redhat.com",
:vary => "Accept-Encoding",
:content_encoding => "gzip",
:content_length => "371"
}
User role has been removed
Api responds 200, but no change was made.
Expected results:
Api should respond with 403 - forbidden and a reasonable error message.
Updated by Daniel Lobato Garcia almost 7 years ago
At the end of the message I see "User role has been removed", did that actually happen? If so, the 200 is correct, but it's a security bug. Can you verify if that happened or it was just a misleading message?
Updated by Tomáš Strachota almost 7 years ago
Nope, this isn't a security issue. Roles remain the same as they were, so this is correct. The problem is just the misleading message and status code.
Updated by Tomer Brisker almost 4 years ago
- Category changed from 218 to Users, Roles and Permissions
Actions