github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(users): hide admin users for non admins from user list API [EE-6290] (#10579)

Browse Source 
* hide admin users for non admins from user list API

* address review comments
pull/10581/head
Prabhat Khera 1 year ago committed by GitHub
parent 2af2827cba
commit 47845523a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File

46
api/http/handler/users/user_list.go
Unescape View File

@ -10,6 +10,13 @@ import (
"github.com/portainer/portainer/api/http/security" "github.com/portainer/portainer/api/http/security"
) )
type User struct {
ID portainer.UserID `json:"Id" example:"1"`
Username string `json:"Username" example:"bob"`
// User role (1 for administrator account and 2 for regular account)
Role portainer.UserRole `json:"Role" example:"1"`
}
// @id UserList // @id UserList
// @summary List users // @summary List users
// @description List Portainer users. // @description List Portainer users.
@ -41,16 +48,10 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
} }
availableUsers := security.FilterUsers(users, securityContext) availableUsers := security.FilterUsers(users, securityContext)
for i := range availableUsers {
hideFields(&availableUsers[i])
}
endpointID, _ := request.RetrieveNumericQueryParameter(r, "environmentId", true) endpointID, _ := request.RetrieveNumericQueryParameter(r, "environmentId", true)
if endpointID == 0 { if endpointID == 0 {
if securityContext.IsAdmin { return response.JSON(w, sanitizeUsers(availableUsers))
sanitizeUsers(users)
}
return response.JSON(w, users)
} }
// filter out users who do not have access to the specific endpoint // filter out users who do not have access to the specific endpoint
@ -64,14 +65,11 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
return httperror.InternalServerError("Unable to retrieve environment groups from the database", err) return httperror.InternalServerError("Unable to retrieve environment groups from the database", err)
} }
canAccessEndpoint := make([]portainer.User, 0) canAccessEndpoint := make([]User, 0)
for _, user := range availableUsers { for _, user := range availableUsers {
// the users who have the endpoint authorization // the users who have the endpoint authorization
if _, ok := user.EndpointAuthorizations[endpoint.ID]; ok { if _, ok := user.EndpointAuthorizations[endpoint.ID]; ok {
if securityContext.IsAdmin { canAccessEndpoint = append(canAccessEndpoint, sanitizeUser(user))
sanitizeUser(&user)
}
canAccessEndpoint = append(canAccessEndpoint, user)
continue continue
} }
@ -82,27 +80,25 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
} }
if security.AuthorizedEndpointAccess(endpoint, endpointGroup, user.ID, teamMemberships) { if security.AuthorizedEndpointAccess(endpoint, endpointGroup, user.ID, teamMemberships) {
if securityContext.IsAdmin { canAccessEndpoint = append(canAccessEndpoint, sanitizeUser(user))
sanitizeUser(&user)
}
canAccessEndpoint = append(canAccessEndpoint, user)
} }
} }
return response.JSON(w, canAccessEndpoint) return response.JSON(w, canAccessEndpoint)
} }
func sanitizeUser(user *portainer.User) { func sanitizeUser(user portainer.User) User {
user.Password = "" return User{
user.EndpointAuthorizations = nil ID: user.ID,
user.ThemeSettings = portainer.UserThemeSettings{} Username: user.Username,
user.PortainerAuthorizations = nil Role: user.Role,
user.UserTheme = "" }
user.TokenIssueAt = 0
} }
func sanitizeUsers(users []portainer.User) { func sanitizeUsers(users []portainer.User) []User {
u := make([]User, len(users))
for i := range users { for i := range users {
sanitizeUser(&users[i]) u[i] = sanitizeUser(users[i])
} }
return u
} }

Write Preview
Loading…
Cancel
Save