blackroad-os/backroad
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(permissions): non admin access to view users [EE-5825] (#10353)

Browse Source 
* fix(security): added restrictions to see user names [EE-5825]
This commit is contained in:
Prabhat Khera
2023-09-25 09:08:37 +13:00
committed by GitHub
parent b60f32a25b
commit 78202cfb25
7 changed files with 67 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
api/http/handler/users/user_list_test.go
View File

@@ -111,28 +111,14 @@ func Test_userList(t *testing.T) {
}
})
t.Run("standard user cannot list amdin users", func(t *testing.T) {
t.Run("standard user cannot list users", func(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, "/users", nil)
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
rr := httptest.NewRecorder()
h.ServeHTTP(rr, req)
is.Equal(http.StatusOK, rr.Code)
body, err := io.ReadAll(rr.Body)
is.NoError(err, "ReadAll should not return error")
var resp []portainer.User
err = json.Unmarshal(body, &resp)
is.NoError(err, "response should be list json")
is.Len(resp, 2)
if len(resp) > 0 {
for _, user := range resp {
is.NotEqual(portainer.AdministratorRole, user.Role)
}
}
is.Equal(http.StatusForbidden, rr.Code)
})
// Case 2: the user is under an environment group and the environment group has endpoint access.