Prevent users from editing their own account #1764

jrjohnson · 2017-02-27T17:47:35Z

Without this check it is possible for a user to add roles to their own
account. This happens because doctrine keeps the User object in sync
between our authentication token and the user we modify in the
controller. Since our process is to modify users and then check
authentication anyone can send a set of roles they want and the roles
will be applied before the authorization is checked.

Fixes #1762

Without this check it is possible for a user to add roles to their own account. This happens because doctrine keeps the User object in sync between our authentication token and the user we modify in the controller. Since our process is to modify users and then check authentication anyone can send a set of roles they want and the roles will be applied before the authorization is checked.

jrjohnson added in progress Ready for Review labels Feb 27, 2017

stopfstedt self-assigned this Feb 27, 2017

stopfstedt approved these changes Feb 27, 2017

View reviewed changes

stopfstedt merged commit 13a70cd into ilios:master Feb 27, 2017

stopfstedt removed the in progress label Feb 27, 2017

jrjohnson deleted the 1762-ownroles branch February 27, 2017 18:37

homu mentioned this pull request Feb 27, 2017

Switch from Forms to our own serialization #1751

Merged

30 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Prevent users from editing their own account #1764

Prevent users from editing their own account #1764

jrjohnson commented Feb 27, 2017

Prevent users from editing their own account #1764

Prevent users from editing their own account #1764

Conversation

jrjohnson commented Feb 27, 2017