diff options
author | Ed Tanous <edtanous@google.com> | 2021-06-03 23:45:10 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2021-06-09 02:12:16 +0300 |
commit | cef1ddfb4ff56100beb1d11a491f79d4abce4864 (patch) | |
tree | 0275a0f054d11229d307e3d49f6e658beff1e9ee | |
parent | 6c51eab135bb573c292d111170bc138b3a4b4eb0 (diff) | |
download | bmcweb-cef1ddfb4ff56100beb1d11a491f79d4abce4864.tar.xz |
Change ManagerAccount privileges to match registry
As the comment (being deleted in this patchset) says this is an odd
privilege level to have, and doesn't actually match the Redfish
Privilege registry. Now that we're no longer tied to the router to make
privilege decisions, this hack can be removed. This should have no
functional impact, as all users have Login Privilege, and we can now
properly filter users that don't have ConfigureSelf, without having to
rely on a single privilege set.
Tested:
Ran redfish service validator on last patchset in this series; No new
failures (UUID has failures on my system, should be unrelated)
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I0a04ff9001f9045d66e3778f04f3eec4b4ff2ec6
-rw-r--r-- | redfish-core/lib/account_service.hpp | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 4c639ad935..582f781868 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -1366,13 +1366,7 @@ inline void requestAccountServiceRoutes(App& app) }); BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/") - // According to the PrivilegeRegistry, GET should actually be - // "Login". A "Login" only privilege would return an empty "Members" - // list. Not going to worry about this since none of the defined - // roles are just "Login". E.g. Readonly is {"Login", - // "ConfigureSelf"}. In the rare event anyone defines a role that - // has Login but not ConfigureSelf, implement this. - .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}}) + .privileges({{"Login"}}) .methods(boost::beast::http::verb::get)( [](const crow::Request& req, const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void { @@ -1383,26 +1377,29 @@ inline void requestAccountServiceRoutes(App& app) {"Name", "Accounts Collection"}, {"Description", "BMC User Accounts"}}; - Privileges requiredPermissionsToSeeNonSelf = { - {"ConfigureUsers"}}; Privileges effectiveUserPrivileges = redfish::getUserPrivileges(req.userRole); - bool userCanSeeAllAccounts = - effectiveUserPrivileges.isSupersetOf( - requiredPermissionsToSeeNonSelf); std::string thisUser = req.session->username; crow::connections::systemBus->async_method_call( - [asyncResp, userCanSeeAllAccounts, - thisUser](const boost::system::error_code ec, - const ManagedObjectType& users) { + [asyncResp, thisUser, effectiveUserPrivileges]( + const boost::system::error_code ec, + const ManagedObjectType& users) { if (ec) { messages::internalError(asyncResp->res); return; } + bool userCanSeeAllAccounts = + effectiveUserPrivileges.isSupersetOf( + {{"ConfigureUsers"}}); + + bool userCanSeeSelf = + effectiveUserPrivileges.isSupersetOf( + {{"ConfigureSelf"}}); + nlohmann::json& memberArray = asyncResp->res.jsonValue["Members"]; memberArray = nlohmann::json::array(); @@ -1423,7 +1420,8 @@ inline void requestAccountServiceRoutes(App& app) // Users without ConfigureUsers, only see their own // account. Users with ConfigureUsers, see all // accounts. - if (thisUser == user || userCanSeeAllAccounts) + if (userCanSeeAllAccounts || + (thisUser == user && userCanSeeSelf)) { memberArray.push_back( {{"@odata.id", |