blackroad-os/backroad
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): review security policies when creating/updating a resource control (#1964)

Browse Source
This commit is contained in:
Anthony Lapenna
2018-06-11 17:58:46 +02:00
committed by GitHub
parent e3d564325b
commit 1e12057cdd
2 changed files with 53 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/http/handler/resourcecontrols/resourcecontrol_update.go
View File

@@ -43,6 +43,15 @@ func (handler *Handler) resourceControlUpdate(w http.ResponseWriter, r *http.Req
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a resource control with with the specified identifier inside the database", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
if !security.AuthorizedResourceControlAccess(resourceControl, securityContext) {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the resource control", portainer.ErrResourceAccessDenied}
}
resourceControl.AdministratorsOnly = payload.AdministratorsOnly
var userAccesses = make([]portainer.UserResourceAccess, 0)
@@ -65,11 +74,6 @@ func (handler *Handler) resourceControlUpdate(w http.ResponseWriter, r *http.Req
}
resourceControl.TeamAccesses = teamAccesses
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
if !security.AuthorizedResourceControlUpdate(resourceControl, securityContext) {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the resource control", portainer.ErrResourceAccessDenied}
}