Prevent account from creating new account with greater permission

author Jeff Halter <redacted>

Mon, 4 Jul 2022 19:41:48 +0000 (12:41 -0700)

committer Jeff Halter <redacted>

Mon, 4 Jul 2022 19:41:48 +0000 (12:41 -0700)
author Jeff Halter <redacted>
Mon, 4 Jul 2022 19:41:48 +0000 (12:41 -0700)
committer Jeff Halter <redacted>
Mon, 4 Jul 2022 19:41:48 +0000 (12:41 -0700)
diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go

index abe2ea8d2c72c01695f7ad474f4c0c63c8857b38..2d03b0723c496239d08ff5bf7f80d86aaba9b1ae 100644 (file)
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -805,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
                         newAccess := accessBitmap{}
                         copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
  
+                       // Prevent account from creating new account with greater permission
+                       for i := 0; i < 64; i++ {
+                               if newAccess.IsSet(i) {
+                                       if !cc.Authorize(i) {
+                                               return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err
+                                       }
+                               }
+                       }
+
                         err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
                         if err != nil {
                                 return []Transaction{}, err
@@ -834,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error
         newAccess := accessBitmap{}
         copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
  
+       // Prevent account from creating new account with greater permission
+       for i := 0; i < 64; i++ {
+               if newAccess.IsSet(i) {
+                       if !cc.Authorize(i) {
+                               res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself."))
+                               return res, err
+                       }
+               }
+       }
+
         if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
                 return []Transaction{}, err
         }
diff --git a/hotline/transaction_handlers_test.go b/hotline/transaction_handlers_test.go

index fd66feae5af7a240ac947c6d9039fed939d6d046..bc402542bd609ea903c49aa0bfbead8bfa4caa95 100644 (file)
--- a/hotline/transaction_handlers_test.go
+++ b/hotline/transaction_handlers_test.go
@@ -1613,6 +1613,48 @@ func TestHandleNewUser(t *testing.T) {
                         },
                         wantErr: assert.NoError,
                 },
+               {
+                       name: "when user attempts to create account with greater access",
+                       args: args{
+                               cc: &ClientConn{
+                                       Account: &Account{
+                                               Access: func() accessBitmap {
+                                                       var bits accessBitmap
+                                                       bits.Set(accessCreateUser)
+                                                       return bits
+                                               }(),
+                                       },
+                                       Server: &Server{
+                                               Accounts: map[string]*Account{},
+                                       },
+                               },
+                               t: NewTransaction(
+                                       tranNewUser, &[]byte{0, 1},
+                                       NewField(fieldUserLogin, []byte("userB")),
+                                       NewField(
+                                               fieldUserAccess,
+                                               func() []byte {
+                                                       var bits accessBitmap
+                                                       bits.Set(accessDisconUser)
+                                                       return bits[:]
+                                               }(),
+                                       ),
+                               ),
+                       },
+                       wantRes: []Transaction{
+                               {
+                                       Flags:     0x00,
+                                       IsReply:   0x01,
+                                       Type:      []byte{0, 0x00},
+                                       ID:        []byte{0x9a, 0xcb, 0x04, 0x42},
+                                       ErrorCode: []byte{0, 0, 0, 1},
+                                       Fields: []Field{
+                                               NewField(fieldError, []byte("Cannot create account with more access than yourself.")),
+                                       },
+                               },
+                       },
+                       wantErr: assert.NoError,
+               },
         }
         for _, tt := range tests {
                 t.Run(tt.name, func(t *testing.T) {
author	Jeff Halter <redacted>
	Mon, 4 Jul 2022 19:41:48 +0000 (12:41 -0700)
committer	Jeff Halter <redacted>
	Mon, 4 Jul 2022 19:41:48 +0000 (12:41 -0700)
hotline/transaction_handlers.go		patch \| blob \| blame \| history
hotline/transaction_handlers_test.go		patch \| blob \| blame \| history