From: Jeff Halter Date: Mon, 4 Jul 2022 19:41:48 +0000 (-0700) Subject: Prevent account from creating new account with greater permission X-Git-Url: https://git.r.bdr.sh/rbdr/mobius/commitdiff_plain/ecb1fcd941a85162b9a799e59bb3b6b0bc1a5580?ds=inline;hp=-c Prevent account from creating new account with greater permission --- ecb1fcd941a85162b9a799e59bb3b6b0bc1a5580 diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go index abe2ea8..2d03b07 100644 --- a/hotline/transaction_handlers.go +++ b/hotline/transaction_handlers.go @@ -805,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er newAccess := accessBitmap{} copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:]) + // Prevent account from creating new account with greater permission + for i := 0; i < 64; i++ { + if newAccess.IsSet(i) { + if !cc.Authorize(i) { + return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err + } + } + } + err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess) if err != nil { return []Transaction{}, err @@ -834,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error newAccess := accessBitmap{} copy(newAccess[:], t.GetField(fieldUserAccess).Data[:]) + // Prevent account from creating new account with greater permission + for i := 0; i < 64; i++ { + if newAccess.IsSet(i) { + if !cc.Authorize(i) { + res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")) + return res, err + } + } + } + if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil { return []Transaction{}, err } diff --git a/hotline/transaction_handlers_test.go b/hotline/transaction_handlers_test.go index fd66fea..bc40254 100644 --- a/hotline/transaction_handlers_test.go +++ b/hotline/transaction_handlers_test.go @@ -1613,6 +1613,48 @@ func TestHandleNewUser(t *testing.T) { }, wantErr: assert.NoError, }, + { + name: "when user attempts to create account with greater access", + args: args{ + cc: &ClientConn{ + Account: &Account{ + Access: func() accessBitmap { + var bits accessBitmap + bits.Set(accessCreateUser) + return bits + }(), + }, + Server: &Server{ + Accounts: map[string]*Account{}, + }, + }, + t: NewTransaction( + tranNewUser, &[]byte{0, 1}, + NewField(fieldUserLogin, []byte("userB")), + NewField( + fieldUserAccess, + func() []byte { + var bits accessBitmap + bits.Set(accessDisconUser) + return bits[:] + }(), + ), + ), + }, + wantRes: []Transaction{ + { + Flags: 0x00, + IsReply: 0x01, + Type: []byte{0, 0x00}, + ID: []byte{0x9a, 0xcb, 0x04, 0x42}, + ErrorCode: []byte{0, 0, 0, 1}, + Fields: []Field{ + NewField(fieldError, []byte("Cannot create account with more access than yourself.")), + }, + }, + }, + wantErr: assert.NoError, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {