#408 Fix privilege escalation

TheHive-Project · Dec 22, 2017 · 53bb970 · 53bb970
1 parent 5a86df3
commit 53bb970
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/thehive-backend/app/controllers/UserCtrl.scala b/thehive-backend/app/controllers/UserCtrl.scala
@@ -46,10 +46,22 @@ class UserCtrl @Inject() (
   @Timed
   def update(id: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     if (id == request.authContext.userId || request.authContext.roles.contains(Roles.admin)) {
-      if (request.body.contains("password") || request.body.contains("key"))
-        logger.warn("Change password or key using update operation is deprecated. Please use dedicated API (setPassword, changePassword or renewKey)")
-      userSrv.update(id, request.body.unset("password").unset("key")).map { user ⇒
-        renderer.toOutput(OK, user)
+      if (request.body.contains("password")) {
+        Future.failed(AuthorizationError("You must use dedicated API (setPassword, changePassword) to update password"))
+      }
+      else if (request.body.contains("key")) {
+        Future.failed(AuthorizationError("You must use dedicated API (renewKey, removeKey) to update key"))
+      }
+      else if (request.body.contains("role") && !request.authContext.roles.contains(Roles.admin)) {
+        Future.failed(AuthorizationError("You are not permitted to change user role"))
+      }
+      else if (request.body.contains("status") && !request.authContext.roles.contains(Roles.admin)) {
+        Future.failed(AuthorizationError("You are not permitted to change user status"))
+      }
+      else {
+        userSrv.update(id, request.body.unset("password").unset("key")).map { user ⇒
+          renderer.toOutput(OK, user)
+        }
       }
     }
     else {