- Notifications
You must be signed in to change notification settings - Fork1k
Assignees
Labels
Description
Summary
MethodputUserProfile missing a server-side AuthZ check
Current Behavior
AMember user can make a followingPUT request to change theirusername
curl -X PUT http://coder-server:8080/api/v2/users/{user}/profile \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Coder-Session-Token: API_KEY' \ --data-raw '{"username":"jdoe","name":"John Doe"}'https://coder.com/docs/reference/api/users#update-user-profile
This should not be the case as per:
#3286
#3649
Proposed Changes
We should explicitly check if given user has theupdate_personal permission (ActionUpdatePersonal) granted in their RBAC policy
if !api.Authorize(r, policy.ActionUpdatePersonal, user) {httpapi.ResourceNotFound(rw)return}Also this is most likely a bug andpolicy.ActionUpdatePersonal should be removed from theMember role
Lines 302 to 304 ind527f91
| // Users cannot do create/update/delete on themselves, but they | |
| // can read their own details. | |
| ResourceUser.Type: {policy.ActionRead,policy.ActionReadPersonal,policy.ActionUpdatePersonal}, |