From: adurti <adurti.v@tataelxsi.co.in>
Date: Thu, 6 Mar 2025 14:12:36 +0000 (+0000)
Subject: Bug 2403 Fixed: Able to change username of other users with no admin privileges
X-Git-Tag: v17.0.1~1
X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=50aa33a7e5a8de0d8285dde5b073cf9ec4bd80bd;p=osm%2FNBI.git

Bug 2403 Fixed: Able to change username of other users with no admin privileges

Change-Id: If5648c82e8bf2cd746877e560c14851a585f4385
Signed-off-by: adurti <adurti.v@tataelxsi.co.in>
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>
---

diff --git a/osm_nbi/admin_topics.py b/osm_nbi/admin_topics.py
index e560887..e496806 100644
--- a/osm_nbi/admin_topics.py
+++ b/osm_nbi/admin_topics.py
@@ -1131,6 +1131,16 @@ class UserTopicAuth(UserTopic):
                                 http_code=HTTPStatus.BAD_REQUEST,
                             )
 
+            # username change
+            if indata.get("username"):
+                if not session.get("admin_show"):
+                    if not indata.get("system_admin_id"):
+                        if _id != session["user_id"]:
+                            raise EngineException(
+                                "You are not allowed to change other users username",
+                                http_code=HTTPStatus.BAD_REQUEST,
+                            )
+
             # user = self.show(session, _id)   # Already in 'content'
             original_mapping = content["project_role_mappings"]