Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 8b8444888a46062371689b10753e8641060fa8df^! / . / redfish-core / lib / account_service.hpp
commit8b8444888a46062371689b10753e8641060fa8df[log] [tgz]
authorAbhilash Raju <abhilash.kollam@gmail.com>Thu Mar 13 02:53:20 2025 -0500
committerEd Tanous <ed@tanous.net>Wed Aug 27 15:17:47 2025 +0000
treecde2b1cf65e660191d2960eabad3332931380e69
parenta52f1d5b25a0c9c4b6e6a69e5f23fb39b26553bf [diff] [blame]
AccountService: Restrict self-configure privilege

Restrict the admin user's privileges to only self-configuration when
the session state is in self-configure mode. Currently, the admin can
modify other users' information even when the admin session is in
isConfigureSelfOnly mode, which appears to be incorrect.
Eg:
1) Expire the admin user password
2) Login bmc with admin credentials
3) Password change required error is generated for the user

Expected after step 3

Admin should not be able to change any user information belonging to
other users until they have changed their own password.

Observed after step 3

Admin was able to change other user's information before changing own
password

Tested By:

1) Expire the admin password using passwd --expire
2) Change user name of other user  as below
```
patch /redfish/v1/AccountService/Accounts/newuser1 -d '{"UserName": "newuser2"}'
```
3) Observed response
```
{
  "error": {
    "@Message.ExtendedInfo": [
      {
        "@odata.type": "#Message.v1_1_1.Message",
        "Message": "There are insufficient privileges for the account or credentials associated with the current session to perform the requested operation.",
        "MessageArgs": [],
        "MessageId": "Base.1.19.InsufficientPrivilege",
        "MessageSeverity": "Critical",
        "Resolution": "Either abandon the operation or change the associated access rights and resubmit the request if the operation failed."
      }
    ],
    "code": "Base.1.19.InsufficientPrivilege",
    "message": "There are insufficient privileges for the account or credentials associated with the current session to perform the requested operation."
  }
}
```
4) Change the admin password
5) Do the step 2 above
6) Operation Resonded with Ok

Change-Id: I8d486e7b77d1ee072e1a49c5d9f8649e694d9d82
Signed-off-by: Abhilash Raju <abhilash.kollam@gmail.com>

diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 3e9983e..41b7a97 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp

@@ -2235,7 +2235,8 @@
         redfish::getUserPrivileges(*req.session);
     Privileges configureUsers = {"ConfigureUsers"};
     bool userHasConfigureUsers =
-        effectiveUserPrivileges.isSupersetOf(configureUsers);
+        effectiveUserPrivileges.isSupersetOf(configureUsers) &&
+        !req.session->isConfigureSelfOnly;
     if (userHasConfigureUsers)
     {
         // Users with ConfigureUsers can modify for all users