From d7e080295f1f3c2517a440e3911600cec0c190fa Mon Sep 17 00:00:00 2001
From: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Date: Thu, 5 Dec 2019 23:29:13 +0000
Subject: privileges: Added noAccess privilege check

Issue: NoAccess user able to get the Systems/system in Redfish

Fix: Added privilege check for NoAccess

Tested:
1. Verified redfish validator passed
2. Verified NoAccess privilege user on Redfish for /Systems/system url
GET: https://<BMC IP>/redfish/v1/Systems/system
Result: Status is 403 Forbidden
Body log: Forbidden

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: Ib0ccb3382a9c33608ef354f1e545c328aec40179
---
 redfish-core/include/privileges.hpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'redfish-core')

diff --git a/redfish-core/include/privileges.hpp b/redfish-core/include/privileges.hpp
index 61253b86c3..423f95be60 100644
--- a/redfish-core/include/privileges.hpp
+++ b/redfish-core/include/privileges.hpp
@@ -192,12 +192,18 @@ inline const Privileges& getUserPrivileges(const std::string& userRole)
         static Privileges op{"Login", "ConfigureSelf", "ConfigureComponents"};
         return op;
     }
-    else
+    else if (userRole == "priv-user")
     {
         // Redfish privilege : Readonly
         static Privileges readOnly{"Login", "ConfigureSelf"};
         return readOnly;
     }
+    else
+    {
+        // Redfish privilege : NoAccess
+        static Privileges noaccess;
+        return noaccess;
+    }
 }
 
 using OperationMap = boost::container::flat_map<boost::beast::http::verb,
-- 
cgit v1.2.3