Skip to content

Commit

Permalink
Fix: #620 Vulnerability: Any user can create a new user
Browse files Browse the repository at this point in the history
  • Loading branch information
@albinpa @georgepadayatti
albinpa authored and georgepadayatti committed Feb 26, 2024
1 parent dcb2121 commit 2154059
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 2 deletions.
2 changes: 1 addition & 1 deletion internal/http_path/v2/routes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ func SetRoutes(r *mux.Router, e *casbin.Enforcer, testMode bool) {

// Individual related api(s)
wrapper(ServiceReadIndividual, m.Chain(serviceIndividualHandler.ServiceReadIndividual, m.Logger(), m.ValidateIndividualId(), m.Authorize(e), m.SetApplicationMode(), m.ValidateAPIKey(), m.Authenticate(), m.AddContentType())).Methods("GET")
wrapper(ServiceCreateIndividual, m.Chain(serviceIndividualHandler.ServiceCreateIndividual, m.Logger(), m.ValidateIndividualId(), m.SetApplicationMode(), m.ValidateAPIKey(), m.Authenticate(), m.AddContentType())).Methods("POST")
wrapper(ServiceCreateIndividual, m.Chain(serviceIndividualHandler.ServiceCreateIndividual, m.Logger(), m.ValidateIndividualId(), m.Authorize(e), m.SetApplicationMode(), m.ValidateAPIKey(), m.Authenticate(), m.AddContentType())).Methods("POST")
wrapper(ServiceUpdateIndividual, m.Chain(serviceIndividualHandler.ServiceUpdateIndividual, m.Logger(), m.ValidateIndividualId(), m.Authorize(e), m.SetApplicationMode(), m.ValidateAPIKey(), m.Authenticate(), m.AddContentType())).Methods("PUT")
wrapper(ServiceListIndividuals, m.Chain(serviceIndividualHandler.ServiceListIndividuals, m.Logger(), m.ValidateIndividualId(), m.Authorize(e), m.SetApplicationMode(), m.ValidateAPIKey(), m.Authenticate(), m.AddContentType())).Methods("GET")

Expand Down
1 change: 0 additions & 1 deletion internal/rbac/rbac.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,6 @@ func GetRbacPolicies(testMode bool) [][]string {
{"user", "/service/organisation/coverimage", "GET"},
{"user", "/service/organisation/logoimage", "GET"},
{"user", "/service/individuals", "GET"},
{"user", "/service/individual", "POST"},
{"user", "/service/individual/{individualId}", "(GET)|(PUT)"},
{"user", "/service/image/{imageId}", "GET"},
{"user", "/service/individual/record", "DELETE"},
Expand Down

0 comments on commit 2154059

Please sign in to comment.