From 091c0327a55d4f165c880ae1d43d248053c5b706 Mon Sep 17 00:00:00 2001 From: 37177 Date: Fri, 1 Nov 2024 08:55:59 +0000 Subject: [PATCH] Bug 2393 Fixed: Able to change password of other users with no admin privileges Change-Id: I0df905358041df5c261d995c72a96972ae7b30d8 Signed-off-by: 37177 --- osm_nbi/admin_topics.py | 15 +++++++++++++++ osm_nbi/nbi.py | 1 + osm_nbi/tests/test_admin_topics.py | 1 + 3 files changed, 17 insertions(+) diff --git a/osm_nbi/admin_topics.py b/osm_nbi/admin_topics.py index 46bddeb..8ca0b2d 100644 --- a/osm_nbi/admin_topics.py +++ b/osm_nbi/admin_topics.py @@ -1104,6 +1104,21 @@ class UserTopicAuth(UserTopic): http_code=HTTPStatus.UNPROCESSABLE_ENTITY, ) + # password change + if indata.get("password"): + if not session.get("admin_show"): + if not indata.get("system_admin_id"): + if _id != session["user_id"]: + raise EngineException( + "You are not allowed to change other users password", + http_code=HTTPStatus.BAD_REQUEST, + ) + if not indata.get("old_password"): + raise EngineException( + "Password change requires old password or admin ID", + http_code=HTTPStatus.BAD_REQUEST, + ) + # user = self.show(session, _id) # Already in 'content' original_mapping = content["project_role_mappings"] diff --git a/osm_nbi/nbi.py b/osm_nbi/nbi.py index 1bb7927..1b03ea5 100644 --- a/osm_nbi/nbi.py +++ b/osm_nbi/nbi.py @@ -1512,6 +1512,7 @@ class Server(object): "username": token_info["username"], "user_id": token_info["user_id"], "admin": token_info["admin"], + "admin_show": token_info["admin_show"], "public": None, "allow_show_user_project_role": token_info["allow_show_user_project_role"], } diff --git a/osm_nbi/tests/test_admin_topics.py b/osm_nbi/tests/test_admin_topics.py index a4c4918..2ecdbf7 100755 --- a/osm_nbi/tests/test_admin_topics.py +++ b/osm_nbi/tests/test_admin_topics.py @@ -927,6 +927,7 @@ class Test_UserTopicAuth(TestCase): pid1 = str(uuid4()) rid1 = str(uuid4()) self.fake_session["user_id"] = uid + self.fake_session["admin_show"] = True prms = [ { "project": pid1, -- 2.25.1