From 5da8a4378884a520cf38e4c81089d5cbbeedbd78 Mon Sep 17 00:00:00 2001
From: Rakesh Gupta <rakesh.gupta.dev264@gmail.com>
Date: Wed, 29 Oct 2025 15:50:25 +0530
Subject: [PATCH] RANGER-5342: USER-role users with names similar to admin or
 keyadmin can query those admin/keyadmin users.

---
 .../org/apache/ranger/rest/XUserREST.java     | 30 +++++++++++++++----
 .../org/apache/ranger/rest/TestXUserREST.java |  8 ++---
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 39b7eb2da3..5874bb23fb 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -23,6 +23,7 @@
 import java.util.Map;
 import java.util.List;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 
 import javax.servlet.http.HttpServletRequest;
@@ -437,15 +438,32 @@ else if ((searchCriteria.getParamList().containsKey("name")) && userName!= null
 					hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole;
 					hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole;
 				} else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) {
+					if ((CollectionUtils.isNotEmpty(userRolesList) && (userRolesList.size() != 1 || !userRolesList.contains(RangerConstants.ROLE_USER)))
+                            || (userRole != null && !RangerConstants.ROLE_USER.equals(userRole))) {
+						throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
+					}
+
 					logger.info("Logged-In user having user role will be able to fetch his own user details.");
-					if (!searchCriteria.getParamList().containsKey("name")) {
-						searchCriteria.addParam("name", loggedInVXUser.getName());
-					}else if(searchCriteria.getParamList().containsKey("name")
-							&& !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString())
-							&& !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())){
+
+					if (searchCriteria.getParamList().containsKey("name") && !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) && !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())) {
 						throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
 					}
-									
+
+
+					if (loggedInVXUser != null && !xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) {
+						loggedInVXUser = xUserMgr.getMaskedVXUser(loggedInVXUser);
+					}
+
+					VXUserList vXUserList = new VXUserList();
+					vXUserList.setVXUsers(Collections.singletonList(loggedInVXUser));
+					vXUserList.setStartIndex(searchCriteria.getStartIndex());
+					vXUserList.setResultSize(vXUserList.getVXUsers().size());
+					vXUserList.setTotalCount(vXUserList.getVXUsers().size());
+					vXUserList.setPageSize(searchCriteria.getMaxRows());
+					vXUserList.setSortBy(searchCriteria.getSortBy());
+					vXUserList.setSortType(searchCriteria.getSortType());
+
+					return vXUserList;
 				}
 			}
 		}
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
index 4727d0990d..cfe4402a3c 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
@@ -1890,7 +1890,7 @@ public void test112deleteUsersByUserNameNull() {
 	@SuppressWarnings({ "unchecked", "static-access" })
 	@Test
 	public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() {
-	
+
 		destroySession();
 		String userLoginID = "testuser";
 		Long userId = 8L;
@@ -1935,7 +1935,7 @@ public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() {
 	@SuppressWarnings({ "unchecked", "static-access" })
 	@Test
 	public void test114RoleUserWillGetOnlyHisOwnUserDetails() {
-	
+
 		destroySession();
 		String userLoginID = "testuser";
 		Long userId = 8L;
@@ -1977,8 +1977,8 @@ public void test114RoleUserWillGetOnlyHisOwnUserDetails() {
 		Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1);
 		Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null,null)).thenReturn(new ArrayList<String>());
 		Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn("");
+		Mockito.when(xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)).thenReturn(true);
 		Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser);
-		Mockito.when(xUserMgr.searchXUsers(testSearchCriteria)).thenReturn(expecteUserList);
 		VXUserList gotVXUserList=xUserRest.searchXUsers(request, null, null);
 		
 		assertEquals(gotVXUserList.getList().size(), 1);
@@ -2017,7 +2017,7 @@ public void test116updateXGroupPermissionWithPermissionIdIsNull() {
 		assertEquals(retVXGroupPermission.getClass(), testVXGroupPermission.getClass());
 
 	}
-	
+
 	@After
 	public void destroySession() {
 		RangerSecurityContext context = new RangerSecurityContext();