Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 335468 - [server] User should not be able to modify his own roles
Summary: [server] User should not be able to modify his own roles
Status: RESOLVED FIXED
Alias: None
Product: Orion
Classification: ECD
Component: Client (show other bugs)
Version: 0.2   Edit
Hardware: PC Windows XP
: P3 normal (vote)
Target Milestone: 0.2   Edit
Assignee: Malgorzata Janczarska CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-26 11:50 EST by Szymon Brandys CLA
Modified: 2011-09-01 11:42 EDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Szymon Brandys CLA 2011-01-26 11:50:21 EST 
Right now, if a user is added he gets the following rules /users/[userId] and /users/[userId]/*.
PUT on /users/[userId] allows to modify his own roles what looks like a security hole.
Comment 1 Malgorzata Janczarska CLA 2011-01-27 10:40:40 EST 
I removed adding roles on PUT /users/[userId] and POST /users/[userId]. Now even if they are a part of post/put data they are not saved. I change also API, because with previous API adding users "roles" would do some mess. Current API is:
//POST /users/ creates a new user
//GET /users/ gets list of users
//GET /users/[userId] gets user details
//GET /users/[usersId]/roles returns a list of roles for given user
//DELETE /users/[usersId] deletes a user
//DELETE /users/[usersId]/roles removes roles for given a user
//PUT /users/[userId] updates user details
//PUT /users/[usersId]/roles adds roles for given user

And only //GET /users/[usersId]/roles and //DELETE /users/[usersId]/roles can add and remove roles. User no longer gets rights to /users/[usersId]/*, only to /users/[usersId], because there are no other actions that fall into /users/[usersId]/* other then roles.