sipwise
/
ngcp-panel
mirror of https://github.com/sipwise/ngcp-panel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TT#154500 tighten /api/admins roles

Browse Source 
* An attempt to change own role, login, flags
  (except for can_reset_password) now returns
  403 Forbidden, User cannot modify own permissions
* POST checks if the admin has necessarry permissions
  to create another admin
* PUT/PATCH changing own role is now forbidden
* PUT/PATCH changing other's admin role now checks permissions
* DELETE checks role permissions

Change-Id: I990609985ae9cab6213cf47f5f5c8afba2efdda3
mr10.3
Kirill Solomko 4 years ago
parent 8b6939a715
commit f4154b1dbc
4 changed files with 67 additions and 13 deletions
Show Stats Download Patch File Download Diff File

6
lib/NGCP/Panel/Controller/API/Admins.pm
Unescape View File

@ -48,6 +48,12 @@ sub create_item {
}
$resource = NGCP::Panel::Utils::UserRole::resolve_resource_role($c, $resource);
unless (defined $resource->{role_id} &&
NGCP::Panel::Utils::UserRole::has_permission(
$c, $c->user->acl_role->id, $resource->{role_id})) {
$self->error($c, HTTP_FORBIDDEN, "Cannot create admin user");
return;
}
my $item;
try {

7
lib/NGCP/Panel/Controller/API/AdminsItem.pm
Unescape View File

@ -6,6 +6,7 @@ use Sipwise::Base;
use parent qw/NGCP::Panel::Role::EntitiesItem NGCP::Panel::Role::API::Admins/;
use NGCP::Panel::Utils::Auth;
use NGCP::Panel::Utils::UserRole;
use HTTP::Status qw(:constants);
sub allowed_methods{
@ -90,6 +91,12 @@ sub delete_item {
return;
}
unless (NGCP::Panel::Utils::UserRole::has_permission(
$c, $c->user->acl_role->id, $item->acl_role->id)) {
$self->error($c, HTTP_FORBIDDEN, "Cannot delete user");
return;
}
# reseller association is checked in item_rs of role
return unless $self->add_delete_journal_item_hal($c,sub {

57
lib/NGCP/Panel/Role/API/Admins.pm
Unescape View File

@ -86,7 +86,7 @@ sub hal_links {
];
}
sub process_form_resource{
sub process_form_resource {
my($self,$c, $item, $old_resource, $resource, $form, $process_extras) = @_;
NGCP::Panel::Utils::API::apply_resource_reseller_id($c, $resource);
@ -98,13 +98,20 @@ sub process_form_resource{
$resource->{saltedpass} = NGCP::Panel::Utils::Auth::generate_salted_hash($pass);
}
foreach my $f(qw/billing_data call_data is_active is_master is_superuser is_ccare lawful_intercept read_only show_passwords/) {
$resource->{$f} = (ref $resource->{$f} eq 'JSON::true' || ( defined $resource->{$f} && ( $resource->{$f} eq 'true' || $resource->{$f} eq '1' ) ) ) ? 1 : 0;
foreach my $f (qw/billing_data call_data is_active is_master
is_superuser is_ccare lawful_intercept
read_only show_passwords can_reset_password/) {
$resource->{$f} = (ref $resource->{$f} eq 'JSON::true' ||
( defined $resource->{$f} &&
( $resource->{$f} eq 'true' || $resource->{$f} eq '1' )
)
) ? 1 : 0;
}
return $resource;
}
sub check_resource{
sub check_resource {
my($self, $c, $item, $old_resource, $resource, $form, $process_extras) = @_;
#TODO: move to config
return unless NGCP::Panel::Utils::API::check_resource_reseller_id($self, $c, $resource, $old_resource);
@ -139,7 +146,7 @@ sub check_duplicate{
sub update_item {
my ($self, $c, $item, $old_resource, $resource, $form) = @_;
if($form->field('password')){
if ($form->field('password')){
$form->field('password')->{required} = 0;
}
$form //= $self->get_form($c);
@ -149,16 +156,42 @@ sub update_item {
resource => $resource,
);
if($item->id == $c->user->id) {
if ($item->id == $c->user->id) {
# user cannot modify the following own permissions for security reasons
delete $resource->{$_} for qw(login is_master is_active read_only
show_passwords call_data billing_data);
my $own_forbidden = 0;
foreach my $k (qw(login role is_master is_active
is_system is_superuser lawful_intercept
read_only show_passwords
call_data billing_data)) {
if (defined $old_resource->{$k} && defined $resource->{$k}) {
if ($old_resource->{$k} ne $resource->{$k}) {
$own_forbidden = 1;
last;
}
} elsif (defined $resource->{$k}) {
$own_forbidden = 1;
last;
}
}
if ($own_forbidden) {
$self->error($c, HTTP_FORBIDDEN, "User cannot modify own permissions");
return;
}
delete $resource->{role};
} else {
$resource = NGCP::Panel::Utils::UserRole::resolve_resource_role($c, $resource);
if (defined $resource->{role_id} &&
! NGCP::Panel::Utils::UserRole::has_permission(
$c, $c->user->acl_role->id, $resource->{role_id})) {
$self->error($c, HTTP_FORBIDDEN, "Cannot change user role");
return;
}
}
my $pass = $resource->{password};
delete $resource->{password};
if(defined $pass && $pass ne $old_resource->{saltedpass}) {
unless($c->user->id == $item->id) {
if (defined $pass && $pass ne $old_resource->{saltedpass}) {
if ($c->user->id != $item->id) {
$self->error($c, HTTP_FORBIDDEN, "Only own user can change password");
return;
}
@ -166,14 +199,12 @@ sub update_item {
$resource->{saltedpass} = NGCP::Panel::Utils::Auth::generate_salted_hash($pass);
}
if($old_resource->{login} eq NGCP::Panel::Utils::Auth::get_special_admin_login()) {
if ($old_resource->{login} eq NGCP::Panel::Utils::Auth::get_special_admin_login()) {
my $active = $resource->{is_active};
$resource = $old_resource;
$resource->{is_active} = $active;
}
$resource = NGCP::Panel::Utils::UserRole::resolve_resource_role($c, $resource);
$item->update($resource);
return $item;

10
lib/NGCP/Panel/Utils/UserRole.pm
Unescape View File

@ -106,4 +106,14 @@ sub resolve_resource_role {
return $resource;
}
sub has_permission {
my ($c, $own_role_id, $to_role_id) = @_;
return 0 unless $own_role_id && $to_role_id;
return $c->model('DB')->resultset('acl_role_mappings')->search({
accessor_id => $own_role_id,
has_access_to_id => $to_role_id,
})->count() ? 1 : 0;
}
1;

Write Preview
Loading…
Cancel
Save