TT#157400 API/UI admins fix authorization for "system" role

* Users with "system" role can change all items accross the system including the password changing for other users. * Login "system" has persistant "system" role. * "system" login name is restricted for the user input. Change-Id: Ibaecba35a86f71fa8895ce9d9feab8e768b65d14
3 years ago · 03271187c7
parent 938eef9140
commit 03271187c7
6 changed files with 29 additions and 1 deletions
--- a/lib/NGCP/Panel/Authentication/Store/System.pm
+++ b/lib/NGCP/Panel/Authentication/Store/System.pm
@ -60,6 +60,8 @@ sub find_user {

    return unless exists $self->acl->{$username};

+    $user->{ctx} = $c;
+
    if (ref($user) eq "HASH") {
        return $self->user_class->new($user);
    } elsif (ref($user) && blessed($user) &&
--- a/lib/NGCP/Panel/Authentication/Store/SystemACLRole.pm
+++ b/lib/NGCP/Panel/Authentication/Store/SystemACLRole.pm
@ -0,0 +1,14 @@
+package NGCP::Panel::Authentication::Store::SystemACLRole;
+use Sipwise::Base;
+
+my $instance;
+
+sub new {
+    my $class = shift;
+    $instance ||= bless {}, $class;
+}
+
+sub id {-1};
+sub role {'system'};
+
+1;
--- a/lib/NGCP/Panel/Authentication/Store/SystemRole.pm
+++ b/lib/NGCP/Panel/Authentication/Store/SystemRole.pm
@ -1,6 +1,7 @@
 package NGCP::Panel::Authentication::Store::SystemRole;
 use Sipwise::Base;
 use parent 'Catalyst::Authentication::User::Hash';
+use NGCP::Panel::Authentication::Store::SystemACLRole;

 sub roles  {
    my $self = shift;
@ -22,6 +23,10 @@ sub call_data        { 1 };
 sub billing_data     { 1 };
 sub lawful_intercept { 0 };

+sub acl_role {
+    return NGCP::Panel::Authentication::Store::SystemACLRole->new;
+}
+
 1;

 # vim ts=4 sw=4 et
--- a/lib/NGCP/Panel/Form/Administrator/System.pm
+++ b/lib/NGCP/Panel/Form/Administrator/System.pm
@ -28,6 +28,12 @@ sub validate {
        $c->log->error($err);
        $self->field('lawful_intercept')->add_error($err);
    }
+
+    if (defined $resource->{login} && $resource->{login} eq 'system') {
+        my $err = 'Restricted login definition: ' . $resource->{login};
+        $c->log->error($err);
+        $self->field('login')->add_error($err);
+    }
 }

 1;
--- a/lib/NGCP/Panel/Role/API/Admins.pm
+++ b/lib/NGCP/Panel/Role/API/Admins.pm
@ -191,7 +191,7 @@ sub update_item {
    my $pass = $resource->{password};
    delete $resource->{password};
    if (defined $pass && $pass ne $old_resource->{saltedpass}) {
-        if ($c->user->id != $item->id) {
+        if ($c->user->acl_role->role ne 'system' && $c->user->id != $item->id) {
            $self->error($c, HTTP_FORBIDDEN, "Only own user can change password");
            return;
        }
--- a/lib/NGCP/Panel/Utils/UserRole.pm
+++ b/lib/NGCP/Panel/Utils/UserRole.pm
@ -108,6 +108,7 @@ sub resolve_resource_role {

 sub has_permission {
    my ($c, $own_role_id, $to_role_id) = @_;
+    return 1 if $own_role_id == -1; # NGCP::API::Client user
    return 0 unless $own_role_id && $to_role_id;

    return $c->model('DB')->resultset('acl_role_mappings')->search({