tinfoil-knight commented on issue #6985:
URL:
https://github.com/apache/trafficcontrol/issues/6985#issuecomment-1475357376
@ocket8888 The issue still exists.
- I created a new role with `[ "USER:UPDATE", "USER:READ" ]` permissions
using `POST /roles`
- Created a new user with that role using `POST /users`
- Logged in with their credentials using `POST /user/login`
- Attempted to change their role to `admin` with the `PUT /user/current`
endpoint. Got an "Internal Server Error".
- Got "users cannot update their own role" error with `PUT /users/{id}`
which is the correct description.
Unlike the `Update` method used for `PUT /users/{id}` route, there's no
check to prevent "role" changes in the `ReplaceCurrentV4` method used for `PUT
/users/current`
See:
https://github.com/apache/trafficcontrol/blob/c35b9f18dc5b6407fdd2509598704451d5e8ef89/traffic_ops/traffic_ops_golang/user/user.go#L993-L999
https://github.com/apache/trafficcontrol/blob/c35b9f18dc5b6407fdd2509598704451d5e8ef89/traffic_ops/traffic_ops_golang/user/current.go#L536-L541
I'll push a fix.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
