From 4e8873ba05e44e49284e05e6fdc0913c525269b3 Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Wed, 13 Jul 2022 17:38:26 -0300 Subject: [PATCH] 19206: Avoids disabling or setting system root user as non-admin. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- services/api/app/models/user.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb index 52d36ac577..d39695e27b 100644 --- a/services/api/app/models/user.rb +++ b/services/api/app/models/user.rb @@ -24,6 +24,7 @@ class User < ArvadosModel validate :identity_url_nil_if_empty before_update :prevent_privilege_escalation before_update :prevent_inactive_admin + before_update :prevent_nonadmin_system_root before_update :verify_repositories_empty, :if => Proc.new { username.nil? and username_changed? } @@ -301,6 +302,10 @@ SELECT target_uuid, perm_level # delete user signatures, login, repo, and vm perms, and mark as inactive def unsetup + if self.uuid == system_user_uuid + raise "System root user cannot be deactivated" + end + # delete oid_login_perms for this user # # note: these permission links are obsolete, they have no effect @@ -702,6 +707,13 @@ SELECT target_uuid, perm_level true end + def prevent_nonadmin_system_root + if self.uuid == system_user_uuid and self.is_admin_changed? and !self.is_admin + raise "System root user cannot be non-admin" + end + true + end + def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={}) nextpaths = graph[start] return merged if !nextpaths -- 2.30.2