projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 41a378b)
19206: Avoids disabling or setting system root user as non-admin. 19206-root-user-disabling-fix
authorLucas Di Pentima <lucas.dipentima@curii.com>
Wed, 13 Jul 2022 20:38:26 +0000 (17:38 -0300)
committerLucas Di Pentima <lucas.dipentima@curii.com>
Wed, 13 Jul 2022 20:38:26 +0000 (17:38 -0300)
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

services/api/app/models/user.rb patch | blob | history

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 52d36ac57735f0c16d4b0ed6271a50681e08e05b..d39695e27b19c82244c35e800db6107bf19cb950 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -24,6 +24,7 @@ class User < ArvadosModel
   validate :identity_url_nil_if_empty
   before_update :prevent_privilege_escalation
   before_update :prevent_inactive_admin
+  before_update :prevent_nonadmin_system_root
   before_update :verify_repositories_empty, :if => Proc.new {
     username.nil? and username_changed?
   }
@@ -301,6 +302,10 @@ SELECT target_uuid, perm_level
 
   # delete user signatures, login, repo, and vm perms, and mark as inactive
   def unsetup
+    if self.uuid == system_user_uuid
+      raise "System root user cannot be deactivated"
+    end
+
     # delete oid_login_perms for this user
     #
     # note: these permission links are obsolete, they have no effect
@@ -702,6 +707,13 @@ SELECT target_uuid, perm_level
     true
   end
 
+  def prevent_nonadmin_system_root
+    if self.uuid == system_user_uuid and self.is_admin_changed? and !self.is_admin
+      raise "System root user cannot be non-admin"
+    end
+    true
+  end
+
   def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
     nextpaths = graph[start]
     return merged if !nextpaths