1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-23 15:29:42 +02:00

fix(security): block non-admins from user info listing EE-5825 (#10241)

This commit is contained in:
Dakota Walsh 2023-09-05 09:17:05 +12:00 committed by GitHub
parent e82b34b775
commit 6a08bbe7e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 28 deletions

View file

@ -26,24 +26,23 @@ import (
// @failure 500 "Server error"
// @router /users [get]
func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
users, err := handler.DataStore.User().ReadAll()
if err != nil {
return httperror.InternalServerError("Unable to retrieve users from the database", err)
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return httperror.InternalServerError("Unable to retrieve info from request context", err)
}
availableUsers := security.FilterUsers(users, securityContext)
for i := range availableUsers {
hideFields(&availableUsers[i])
if !securityContext.IsAdmin {
return httperror.Forbidden("Permission denied to access users list", err)
}
users, err := handler.DataStore.User().ReadAll()
if err != nil {
return httperror.InternalServerError("Unable to retrieve users from the database", err)
}
endpointID, _ := request.RetrieveNumericQueryParameter(r, "environmentId", true)
if endpointID == 0 {
return response.JSON(w, availableUsers)
return response.JSON(w, users)
}
// filter out users who do not have access to the specific endpoint
@ -58,7 +57,7 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
}
canAccessEndpoint := make([]portainer.User, 0)
for _, user := range availableUsers {
for _, user := range users {
// the users who have the endpoint authorization
if _, ok := user.EndpointAuthorizations[endpoint.ID]; ok {
canAccessEndpoint = append(canAccessEndpoint, user)