mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-05 11:51:16 -06:00
Code Issues Packages Projects Releases Wiki Activity

guard against returning admin user groups instead the requested user groups

Browse Source
This commit is contained in:
A.Unger
2021-04-13 14:28:09 +02:00
parent c6951d2e05
commit 985b83a282
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ocs/pkg/service/v0/groups.go
View File

@@ -28,9 +28,14 @@ func (o Ocs) ListUserGroups(w http.ResponseWriter, r *http.Request) {
// short circuit if there is a user already in the context
if u, ok := user.ContextGetUser(r.Context()); ok {
if len(u.Groups) > 0 {
mustNotFail(render.Render(w, r, response.DataRender(&data.Groups{Groups: u.Groups})))
return
// we are not sure whether the current user in the context is the admin or the authenticated user.
if u.Username == userid {
// the OCS API is a REST API and it uses the username to look for groups. If the id from the user in the context
// differs from that of the url we can assume we are an admin because we are past the selfOrAdmin middleware.
if len(u.Groups) > 0 {
mustNotFail(render.Render(w, r, response.DataRender(&data.Groups{Groups: u.Groups})))
return
}
}
}