From 9483b9ba7affb5b51c01baa38778db72c1ff16d3 Mon Sep 17 00:00:00 2001
From: Nabil Adouani <nabil.adouani@gmail.com>
Date: Wed, 22 May 2019 14:21:28 +0200
Subject: [PATCH] #408 Fix a typo on user roles patch API, producing a security
 issue

---
 thehive-backend/app/controllers/UserCtrl.scala | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/thehive-backend/app/controllers/UserCtrl.scala b/thehive-backend/app/controllers/UserCtrl.scala
index 53b3d528a2..29d5354414 100644
--- a/thehive-backend/app/controllers/UserCtrl.scala
+++ b/thehive-backend/app/controllers/UserCtrl.scala
@@ -52,7 +52,7 @@ class UserCtrl @Inject() (
       else if (request.body.contains("key")) {
         Future.failed(AuthorizationError("You must use dedicated API (renewKey, removeKey) to update key"))
       }
-      else if (request.body.contains("role") && !request.authContext.roles.contains(Roles.admin)) {
+      else if (request.body.contains("roles") && !request.authContext.roles.contains(Roles.admin)) {
         Future.failed(AuthorizationError("You are not permitted to change user role"))
       }
       else if (request.body.contains("status") && !request.authContext.roles.contains(Roles.admin)) {