External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-18 05:01:19 -03:30
Code Issues Packages Projects Releases Wiki Activity

Prevents the user from adding a token for a user other than themselves

Browse Source 
It's possible to maninpulate the URL to get to the add-token screen
for a different user, which gives the user the idea that they could
possibly add a token for that user, which is not allowed.
This commit is contained in:
Jared Tabor 2018-07-11 17:32:56 -07:00
parent 1b67755358
commit 02f6fa9b0a
No known key found for this signature in database
GPG Key ID: CC50E67C506270C9
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
awx/ui/client/features/users/tokens/users-tokens-add.route.js
View File

@ -16,6 +16,21 @@ TokensDetailResolve.$inject = [
'ApplicationModel'
];
function isMeResolve ($rootScope, $stateParams, $state) {
// The user should not be able to add tokens for users other than
// themselves. Adding this redirect so that a user is not able to
// visit the add-token URL directly for a different user.
if (_.has($stateParams, 'user_id') && Number($stateParams.user_id) !== $rootScope.current_user.id) {
$state.go('users');
}
}
isMeResolve.$inject = [
'$rootScope',
'$stateParams',
'$state'
];
export default {
url: '/add-token',
name: 'users.edit.tokens.add',
@ -37,6 +52,7 @@ export default {
}
},
resolve: {
resolvedModels: TokensDetailResolve
resolvedModels: TokensDetailResolve,
isMe: isMeResolve
}
};