Bug 2393 Fixed: Able to change password of other users with no admin privileges
Change-Id: I0df905358041df5c261d995c72a96972ae7b30d8
Signed-off-by: 37177 <adurti.v@tataelxsi.co.in>
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>
diff --git a/osm_nbi/admin_topics.py b/osm_nbi/admin_topics.py
index b798eaa..ec2bba4 100644
--- a/osm_nbi/admin_topics.py
+++ b/osm_nbi/admin_topics.py
@@ -1070,6 +1070,21 @@
http_code=HTTPStatus.UNPROCESSABLE_ENTITY,
)
+ # password change
+ if indata.get("password"):
+ if not session.get("admin_show"):
+ if not indata.get("system_admin_id"):
+ if _id != session["user_id"]:
+ raise EngineException(
+ "You are not allowed to change other users password",
+ http_code=HTTPStatus.BAD_REQUEST,
+ )
+ if not indata.get("old_password"):
+ raise EngineException(
+ "Password change requires old password or admin ID",
+ http_code=HTTPStatus.BAD_REQUEST,
+ )
+
# user = self.show(session, _id) # Already in 'content'
original_mapping = content["project_role_mappings"]
diff --git a/osm_nbi/nbi.py b/osm_nbi/nbi.py
index 861ba31..46b5758 100644
--- a/osm_nbi/nbi.py
+++ b/osm_nbi/nbi.py
@@ -1335,6 +1335,7 @@
"username": token_info["username"],
"user_id": token_info["user_id"],
"admin": token_info["admin"],
+ "admin_show": token_info["admin_show"],
"public": None,
"allow_show_user_project_role": token_info["allow_show_user_project_role"],
}
diff --git a/osm_nbi/tests/test_admin_topics.py b/osm_nbi/tests/test_admin_topics.py
index cfa3cf5..4cafce8 100755
--- a/osm_nbi/tests/test_admin_topics.py
+++ b/osm_nbi/tests/test_admin_topics.py
@@ -927,6 +927,7 @@
pid1 = str(uuid4())
rid1 = str(uuid4())
self.fake_session["user_id"] = uid
+ self.fake_session["admin_show"] = True
prms = [
{
"project": pid1,