New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit Sysadmin Updating (no self modify, no system user modify) #8155
base: master
Are you sure you want to change the base?
Limit Sysadmin Updating (no self modify, no system user modify) #8155
Conversation
- Added extra validator to updating a user's sysadmin value.
- Added change log file. - Minor fix to new test.
- Flake8 syntax fixes.
- Pyrigth fixes.
- Fixed logic in new validator.
- Using ignore_auth with fake user should be allowed.
- Using ignore_auth with fake user should be allowed. - Better logic for no value provided.
- Return values for new validator.
Wow okay, finally got all the tests working. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great @JVickery-TBS , just some comments
Co-authored-by: Adrià Mercader <amercadero@gmail.com>
- More test coverage. - Updated some logic and errors.
- flake8 fixes.
ooohh @amercader I am suddenly recalling another reason why I did the So should I check the ignore_auth thing still if the provided user does not exist in the DB? Or is there a better way to do that? |
- Use site id instead of loopback.
@amercader I tried changing the |
no worries @JVickery-TBS this is on my list to have a closer look. I'll figure out what's the best approach |
feat(validator): sysadmin update;
Proposed fixes:
Adds an extra validator to the user schema which limits the capabilities of modifying a User's sysadmin value. Limits it so you cannot modify your own sysadmin value, or the system user's sysadmin value.
Features:
Please [X] all the boxes above that apply