You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2022/07/26 21:39:30 UTC

[GitHub] [trafficcontrol] ericholguin opened a new issue, #6985: Internal Sever Error in TP when updating own role to higher role

ericholguin opened a new issue, #6985:
URL: https://github.com/apache/trafficcontrol/issues/6985

   <!--
   ************ STOP!! ************
   If this issue identifies a security vulnerability, DO NOT submit it! Instead, contact
   the Apache Traffic Control Security Team at security@trafficcontrol.apache.org and follow the
   guidelines at https://apache.org/security regarding vulnerability disclosure.
   
   - For *SUPPORT QUESTIONS*, use the #traffic-control channel on the ASF slack (https://s.apache.org/tc-slack-request)
   or the Traffic Control Users mailing list (send an email to users-subscribe@trafficcontrol.apache.org to subscribe).
   - Before submitting, please **SEARCH GITHUB** for a similar issue or PR
       * https://github.com/apache/trafficcontrol/issues
       * https://github.com/apache/trafficcontrol/pulls
   -->
   
   When current user has a role with a lower privilege level than the role it is updating itself to, will result in an Internal Server Error in Traffic Portal. In Traffic Ops this is not allowed when using the `users/{id}` endpoint however Traffic Portal uses the `user/current` endpoint when updating your self.
   
   
   <!-- Do not submit security vulnerabilities or support requests here - see above -->
   ## This Bug Report affects these Traffic Control components:
   <!-- delete all those that don't apply -->
   
   - Traffic Portal
   
   ## Current behavior:
   <!-- Describe how the bug happens -->
   Try updating your own role to a role with higher privileges in Traffic Portal  you should see an Internal Server Error alert.
   
   ## Expected behavior:
   <!-- Describe what the behavior would be without the bug -->
   The alert should be: `"users cannot update their own role"` or something similar.
   
   ## Steps to reproduce:
   <!-- If the current behavior is a bug, please provide the *STEPS TO REPRODUCE* and
   include the applicable TC version.
   -->
   Go to Traffic Portal 
   Login as a user with an operations role
   Try updating your own role to admin you should see an Internal Server Error alert.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on issue #6985: Internal Sever Error in TP when updating own role to higher role

Posted by "ocket8888 (via GitHub)" <gi...@apache.org>.

ocket8888 commented on issue #6985:
URL: https://github.com/apache/trafficcontrol/issues/6985#issuecomment-1476487502

   alright, cool, thanks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] tinfoil-knight commented on issue #6985: Internal Sever Error in TP when updating own role to higher role

Posted by "tinfoil-knight (via GitHub)" <gi...@apache.org>.

tinfoil-knight commented on issue #6985:
URL: https://github.com/apache/trafficcontrol/issues/6985#issuecomment-1475357376

   @ocket8888 The issue still exists.
   - I created a new role with `[ "USER:UPDATE", "USER:READ" ]` permissions using `POST /roles`
   - Created a new user with that role using `POST /users`
   - Logged in with their credentials using `POST /user/login`
   - Attempted to change their role to `admin` with the `PUT /user/current` endpoint. Got an "Internal Server Error".
   - Got "users cannot update their own role" error with `PUT /users/{id}` which is the correct description.
   
   Unlike the `Update` method used for `PUT /users/{id}` route, there's no check to prevent "role" changes in the `ReplaceCurrentV4` method used for `PUT /users/current`
   
   See:
   
   https://github.com/apache/trafficcontrol/blob/c35b9f18dc5b6407fdd2509598704451d5e8ef89/traffic_ops/traffic_ops_golang/user/user.go#L993-L999
   
   https://github.com/apache/trafficcontrol/blob/c35b9f18dc5b6407fdd2509598704451d5e8ef89/traffic_ops/traffic_ops_golang/user/current.go#L536-L541
   
   I'll push a fix.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] tinfoil-knight commented on issue #6985: Internal Sever Error in TP when updating own role to higher role

Posted by "tinfoil-knight (via GitHub)" <gi...@apache.org>.

tinfoil-knight commented on issue #6985:
URL: https://github.com/apache/trafficcontrol/issues/6985#issuecomment-1473977919

   @ericholguin Do we want the endpoint changed for Traffic Portal from `user/current` to `users/{id}` (which has the correct validation) or should we add a check for "updating your own role to a role with higher privileges" in the `user/current` endpoint itself?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 closed issue #6985: Internal Sever Error in TP when updating own role to higher role

Posted by "ocket8888 (via GitHub)" <gi...@apache.org>.

ocket8888 closed issue #6985: Internal Sever Error in TP when updating own role to higher role
URL: https://github.com/apache/trafficcontrol/issues/6985


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on issue #6985: Internal Sever Error in TP when updating own role to higher role

Posted by "ocket8888 (via GitHub)" <gi...@apache.org>.

ocket8888 commented on issue #6985:
URL: https://github.com/apache/trafficcontrol/issues/6985#issuecomment-1474955561

   @tinfoil-knight the latter - although I _believe_ this issue actually no longer exists. I haven't checked, but Roles and the user/current endpoint have both had significant changes since this issue was opened. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org