From 0177baf9169eca81a62e5a94ff2fc8563953349d Mon Sep 17 00:00:00 2001
From: hongming <talonwan@yunify.com>
Date: Thu, 31 Oct 2019 15:42:03 +0800
Subject: [PATCH] fix: privilege escalation

Signed-off-by: hongming <talonwan@yunify.com>
---
 pkg/apiserver/iam/im.go |  5 +++++
 pkg/models/iam/im.go    | 10 ++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/pkg/apiserver/iam/im.go b/pkg/apiserver/iam/im.go
index edd7b2a2..2957d0e2 100644
--- a/pkg/apiserver/iam/im.go
+++ b/pkg/apiserver/iam/im.go
@@ -160,6 +160,11 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 		}
 	}
 
+	if usernameInHeader == user.Username {
+		// change cluster role by self is not permitted
+		user.ClusterRole = ""
+	}
+
 	result, err := iam.UpdateUser(&user)
 
 	if err != nil {
diff --git a/pkg/models/iam/im.go b/pkg/models/iam/im.go
index ec98d7f2..cef5b10b 100644
--- a/pkg/models/iam/im.go
+++ b/pkg/models/iam/im.go
@@ -1166,11 +1166,13 @@ func UpdateUser(user *models.User) (*models.User, error) {
 		return nil, err
 	}
 
-	err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
+	if user.ClusterRole != "" {
+		err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
 
-	if err != nil {
-		klog.Errorln("create cluster role binding filed", err)
-		return nil, err
+		if err != nil {
+			klog.Errorln(err)
+			return nil, err
+		}
 	}
 
 	// clear auth failed record
-- 
GitLab