diff options
Diffstat (limited to 'redfish-core/lib/account_service.hpp')
-rw-r--r-- | redfish-core/lib/account_service.hpp | 45 |
1 files changed, 24 insertions, 21 deletions
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 8e27930304..2ab0a1e487 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -1846,34 +1846,37 @@ inline void requestAccountServiceRoutes(App& app) std::optional<bool> enabled; std::optional<std::string> roleId; std::optional<bool> locked; - if (!json_util::readJson(req, asyncResp->res, "UserName", - newUserName, "Password", password, - "RoleId", roleId, "Enabled", enabled, - "Locked", locked)) + + Privileges effectiveUserPrivileges = + redfish::getUserPrivileges(req.userRole); + Privileges configureUsers = {"ConfigureUsers"}; + bool userHasConfigureUsers = + effectiveUserPrivileges.isSupersetOf(configureUsers); + if (userHasConfigureUsers) { - return; + // Users with ConfigureUsers can modify for all users + if (!json_util::readJson(req, asyncResp->res, "UserName", + newUserName, "Password", password, + "RoleId", roleId, "Enabled", + enabled, "Locked", locked)) + { + return; + } } - - // Perform a proper ConfigureSelf authority check. If the - // session is being used to PATCH a property other than - // Password, then the ConfigureSelf privilege does not apply. - // If the user is operating on an account not their own, then - // their ConfigureSelf privilege does not apply. In either - // case, perform the authority check again without the user's - // ConfigureSelf privilege. - if ((username != req.session->username)) + else { - Privileges requiredPermissionsToChangeNonSelf = { - "ConfigureUsers"}; - Privileges effectiveUserPrivileges = - redfish::getUserPrivileges(req.userRole); - - if (!effectiveUserPrivileges.isSupersetOf( - requiredPermissionsToChangeNonSelf)) + // ConfigureSelf accounts can only modify their own account + if (username != req.session->username) { messages::insufficientPrivilege(asyncResp->res); return; } + // ConfigureSelf accounts can only modify their password + if (!json_util::readJson(req, asyncResp->res, "Password", + password)) + { + return; + } } // if user name is not provided in the patch method or if it |