From 91d2132264ad6492529b15717dccdeb1f01de13b Mon Sep 17 00:00:00 2001 From: Matt Hook Date: Wed, 6 Sep 2023 09:17:04 +1200 Subject: [PATCH] prevent regular users changing their username (#10247) --- api/http/handler/users/user_update.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/api/http/handler/users/user_update.go b/api/http/handler/users/user_update.go index 889187bd5..2911aa9ff 100644 --- a/api/http/handler/users/user_update.go +++ b/api/http/handler/users/user_update.go @@ -45,6 +45,7 @@ func (payload *userUpdatePayload) Validate(r *http.Request) error { // @id UserUpdate // @summary Update a user // @description Update user details. A regular user account can only update his details. +// @description A regular user account cannot change their username or role. // @description **Access policy**: authenticated // @tags users // @security ApiKeyAuth @@ -97,6 +98,10 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http } if payload.Username != "" && payload.Username != user.Username { + if tokenData.Role != portainer.AdministratorRole { + return httperror.Forbidden("Permission denied. Unable to update username", httperrors.ErrResourceAccessDenied) + } + sameNameUser, err := handler.DataStore.User().UserByUsername(payload.Username) if err != nil && !handler.DataStore.IsErrObjectNotFound(err) { return httperror.InternalServerError("Unable to retrieve users from the database", err)