fix: 某个具有运维权限的用户A，在知道另一个运维用户B的某个授权账号后，可以通过修改前端代码来访问此未授权给用户A的远程主机。

2019-01-21 16:33:47 +08:00 · 2019-01-21 16:33:47 +08:00 · 7a0ab4e3f2
parent 7b08bd2fa2
commit 7a0ab4e3f2
1 changed files with 3 additions and 0 deletions
--- a/server/www/teleport/webroot/app/controller/ops.py
+++ b/server/www/teleport/webroot/app/controller/ops.py
@ -144,6 +144,9 @@ class DoGetSessionIDHandler(TPBaseJsonHandler):
            if err != TPE_OK:
                return self.write_json(err)

+            if ops_auth['u_id'] != self._user['id']:
+                return self.write_json(TPE_PRIVILEGE)
+
            policy_id = ops_auth['p_id']
            acc_id = ops_auth['a_id']
            host_id = ops_auth['h_id']