Merge pull request #1290 from wansir/bug-fix

fix: privilege escalation

Merge pull request #1290 from wansir/bug-fix
fix: privilege escalation
cae0911d · KubeSphere CI Bot · GitHub · 67908443 · 0177baf9 · cae0911d
隐藏空白更改
内联并排

Showing with 11 addition and 4 deletion

pkg/apiserver/iam/im.go pkg/apiserver/iam/im.go +5 -0

pkg/models/iam/im.go pkg/models/iam/im.go +6 -4

未找到文件。
--- a/pkg/apiserver/iam/im.go
+++ b/pkg/apiserver/iam/im.go
@@ -160,6 +160,11 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 		}
 	}

+	if usernameInHeader == user.Username {
+		// change cluster role by self is not permitted
+		user.ClusterRole = ""
+	}
+
 	result, err := iam.UpdateUser(&user)

 	if err != nil {

--- a/pkg/models/iam/im.go
+++ b/pkg/models/iam/im.go
@@ -1166,11 +1166,13 @@ func UpdateUser(user *models.User) (*models.User, error) {
 		return nil, err
 	}

-	err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
+	if user.ClusterRole != "" {
+		err = CreateClusterRoleBinding(user.Username, user.ClusterRole)

-	if err != nil {
-		klog.Errorln("create cluster role binding filed", err)
-		return nil, err
+		if err != nil {
+			klog.Errorln(err)
+			return nil, err
+		}
 	}

 	// clear auth failed record