External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-07 01:17:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

Prevents the user from adding a token for a user other than themselves

Browse Source 
It's possible to maninpulate the URL to get to the add-token screen
for a different user, which gives the user the idea that they could
possibly add a token for that user, which is not allowed.
This commit is contained in:
Jared Tabor
2018-07-11 17:32:56 -07:00
parent 1b67755358
commit 02f6fa9b0a
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
awx/ui/client/features/users/tokens/users-tokens-add.route.js
View File

@@ -16,6 +16,21 @@ TokensDetailResolve.$inject = [
'ApplicationModel' 'ApplicationModel'
]; ];
function isMeResolve ($rootScope, $stateParams, $state) {
// The user should not be able to add tokens for users other than
// themselves. Adding this redirect so that a user is not able to
// visit the add-token URL directly for a different user.
if (_.has($stateParams, 'user_id') && Number($stateParams.user_id) !== $rootScope.current_user.id) {
$state.go('users');
}
}
isMeResolve.$inject = [
'$rootScope',
'$stateParams',
'$state'
];
export default { export default {
url: '/add-token', url: '/add-token',
name: 'users.edit.tokens.add', name: 'users.edit.tokens.add',
@@ -37,6 +52,7 @@ export default {
} }
}, },
resolve: { resolve: {
resolvedModels: TokensDetailResolve resolvedModels: TokensDetailResolve,
isMe: isMeResolve
} }
}; };