diff options
| author | Frederick Muriuki Muriithi | 2024-06-25 13:15:04 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2024-06-25 13:15:04 -0500 |
| commit | c8658a764cf30605c6e5a1361dcd09ddd422e371 (patch) | |
| tree | 6a7c5d3dcef354174ce08486eca714c626820c1e /gn_auth/auth/authorisation/resources/views.py | |
| parent | 2ae145f255e3823ac6c0bbaecff7289f5480d3e2 (diff) | |
| download | gn-auth-c8658a764cf30605c6e5a1361dcd09ddd422e371.tar.gz | |
The GroupRole idea was flawed, and led to a critical bug that would
have allowed privilege escalation. This uses the Role directly acting
on a specific resource when assigning said role to a user.
Diffstat (limited to 'gn_auth/auth/authorisation/resources/views.py')
| -rw-r--r-- | gn_auth/auth/authorisation/resources/views.py | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index cf9ebc4..2eda72b 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -247,22 +247,25 @@ def resource_users(resource_id: UUID): @require_oauth("profile group resource role") def assign_role_to_user(resource_id: UUID) -> Response: """Assign a role on the specified resource to a user.""" - with require_oauth.acquire("profile group resource role") as the_token: + with require_oauth.acquire("profile group resource role") as _token: try: form = request_json() - group_role_id = form.get("group_role_id", "") + role_id = form.get("role_id", "") user_email = form.get("user_email", "") - assert bool(group_role_id), "The role must be provided." + assert bool(role_id), "The role must be provided." assert bool(user_email), "The user email must be provided." def __assign__(conn: db.DbConnection) -> dict: - resource = resource_by_id(conn, the_token.user, resource_id) + authorised_for( + conn, + _token.user, + ("resource:role:assign-role",), + (resource_id,)) + resource = resource_by_id(conn, _token.user, resource_id) user = user_by_email(conn, user_email) return assign_resource_user( conn, resource, user, - group_role_by_id(conn, - resource_owner(conn, resource), - UUID(group_role_id))) + role_by_id(conn, UUID(role_id))) except AssertionError as aserr: raise AuthorisationError(aserr.args[0]) from aserr @@ -272,21 +275,24 @@ def assign_role_to_user(resource_id: UUID) -> Response: @require_oauth("profile group resource role") def unassign_role_to_user(resource_id: UUID) -> Response: """Unassign a role on the specified resource from a user.""" - with require_oauth.acquire("profile group resource role") as the_token: + with require_oauth.acquire("profile group resource role") as _token: try: form = request_json() - group_role_id = form.get("group_role_id", "") + role_id = form.get("role_id", "") user_id = form.get("user_id", "") - assert bool(group_role_id), "The role must be provided." + assert bool(role_id), "The role must be provided." assert bool(user_id), "The user id must be provided." def __assign__(conn: db.DbConnection) -> dict: - resource = resource_by_id(conn, the_token.user, resource_id) + authorised_for( + conn, + _token.user, + ("resource:role:assign-role",), + (resource_id,)) + resource = resource_by_id(conn, _token.user, resource_id) return unassign_resource_user( conn, resource, user_by_id(conn, UUID(user_id)), - group_role_by_id(conn, - resource_owner(conn, resource), - UUID(group_role_id))) + role_by_id(conn, UUID(role_id))) except AssertionError as aserr: raise AuthorisationError(aserr.args[0]) from aserr |