No role on user results in logging in with role bounds? #66

epilys · 2023-05-04T18:06:33Z

I noticed this:

Lines 159 to 165 in 7e8f0ef

    
           fn contains(&self, role: Option<Role>) -> bool { 
        
               if let Some(role) = role { 
        
                   RangeBounds::contains(self, &role) 
        
               } else { 
        
                   role.is_none() 
        
               } 
        
           }

This returns true if a user's role is None which means this check will authorize the user:

axum-login/axum-login/src/auth.rs

Line 212 in 7e8f0ef

Some(user) if self.role_bounds.contains(user.get_role()) => {

The text was updated successfully, but these errors were encountered:

Because we can't know if RoleBounds is a full range or not, we cannot know if a None role means we must authenticate the user. So make RoleBounds optional. Closes maxcountryman#66

Because we can't know if RoleBounds is a full range or not, we cannot know if a None role means we must authenticate the user. So make RoleBounds optional. Closes #66

epilys mentioned this issue May 5, 2023

Make role_bounds optional to require just login #67

Merged

maxcountryman closed this as completed in #67 May 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No role on user results in logging in with role bounds? #66

No role on user results in logging in with role bounds? #66

epilys commented May 4, 2023

No role on user results in logging in with role bounds? #66

No role on user results in logging in with role bounds? #66

Comments

epilys commented May 4, 2023