From bc0050a7b4633c68624c61146d45e544f59e5fee Mon Sep 17 00:00:00 2001 From: cmeng Date: Thu, 19 Oct 2023 16:23:14 +1300 Subject: [PATCH] fix(user-token): prevent admin read tokens of other admins EE-5858 (#10489) --- .../handler/users/user_get_access_tokens.go | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/api/http/handler/users/user_get_access_tokens.go b/api/http/handler/users/user_get_access_tokens.go index a98b5094b..dbfa0c0d9 100644 --- a/api/http/handler/users/user_get_access_tokens.go +++ b/api/http/handler/users/user_get_access_tokens.go @@ -33,16 +33,7 @@ func (handler *Handler) userGetAccessTokens(w http.ResponseWriter, r *http.Reque return httperror.BadRequest("Invalid user identifier route variable", err) } - tokenData, err := security.RetrieveTokenData(r) - if err != nil { - return httperror.InternalServerError("Unable to retrieve user authentication token", err) - } - - if tokenData.Role != portainer.AdministratorRole && tokenData.ID != portainer.UserID(userID) { - return httperror.Forbidden("Permission denied to get user access tokens", httperrors.ErrUnauthorized) - } - - _, err = handler.DataStore.User().Read(portainer.UserID(userID)) + user, err := handler.DataStore.User().Read(portainer.UserID(userID)) if err != nil { if handler.DataStore.IsErrObjectNotFound(err) { return httperror.NotFound("Unable to find a user with the specified identifier inside the database", err) @@ -50,6 +41,15 @@ func (handler *Handler) userGetAccessTokens(w http.ResponseWriter, r *http.Reque return httperror.InternalServerError("Unable to find a user with the specified identifier inside the database", err) } + tokenData, err := security.RetrieveTokenData(r) + if err != nil { + return httperror.InternalServerError("Unable to retrieve user authentication token", err) + } + + if tokenData.ID != portainer.UserID(userID) && (tokenData.Role != portainer.AdministratorRole || user.Role == portainer.AdministratorRole) { + return httperror.Forbidden("Permission denied to get user access tokens", httperrors.ErrUnauthorized) + } + apiKeys, err := handler.apiKeyService.GetAPIKeys(portainer.UserID(userID)) if err != nil { return httperror.InternalServerError("Internal Server Error", err)