diff options
| author | Ed Tanous <edtanous@google.com> | 2021-06-03 22:30:29 +0300 |
|---|---|---|
| committer | Ed Tanous <edtanous@google.com> | 2021-06-08 22:27:51 +0300 |
| commit | 6c51eab135bb573c292d111170bc138b3a4b4eb0 (patch) | |
| tree | 4a345e576d5680cd79304a8c58b46811aa439ec2 /redfish-core/lib/redfish_sessions.hpp | |
| parent | 2c37b4b0f465344aeea311efd61fd9a217ad8e3e (diff) | |
| download | bmcweb-6c51eab135bb573c292d111170bc138b3a4b4eb0.tar.xz | |
Remove Node class from Account Service
This is a progression of 7e860f1550c8686eec42f7a75bc5f2ef51e756ad, which
correctly noted that AccountService has a number of class specific
variables. This commit removes the Node class from those in line with
the aformentioned patchset, and at the same time removes the need for
the isAllowedWithoutConfigureSelf method, which was relying on state
captured to do some complex rule checking. Fortunately, it is
relatively easy to check current permissions at runtime using the
Privileges::isSupersetOf check against the current users role. This
significantly reduces the complexity of the code, while still giving the
same result (users with only ConfigureSelf cannot see or modify other
users). Ideally these two things, isAllowedWithoutConfigureSelf, and
the Node moving would've been done in separate commits, but given that
the former would've required moving a number of features out of the node
derived class anyway, separating them would lead to essentially the same
diff twice, hence why they are combined for easier review.
Tested:
Ran Redfish service validator. No new errors. (UUID error present that
appears to be unrelated)
Change-Id: Iad919dbc7ab7e8d47cc1160999ed9f43f685fa56
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'redfish-core/lib/redfish_sessions.hpp')
| -rw-r--r-- | redfish-core/lib/redfish_sessions.hpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp index 3ae75eaed1..f7cb7a7391 100644 --- a/redfish-core/lib/redfish_sessions.hpp +++ b/redfish-core/lib/redfish_sessions.hpp @@ -106,9 +106,11 @@ class Sessions : public Node // ConfigureSelf privilege. if (session->username != req.session->username) { - if (!isAllowedWithoutConfigureSelf(req)) + Privileges effectiveUserPrivileges = + redfish::getUserPrivileges(req.userRole); + + if (!effectiveUserPrivileges.isSupersetOf({{"ConfigureUsers"}})) { - BMCWEB_LOG_WARNING << "DELETE Session denied access"; messages::insufficientPrivilege(asyncResp->res); return; } |