Fix remove callback user privilege access to login
Callback privilege user must not be allowed to login,similar to IPMI.
This user is used for callback purpose from IPMI point of it, and
must be maintained in bmcweb to be consistent with IPMI, Hence
removing the access to login for callback user
Tested:
1.Create a user with username 'test1' and privilege -
"Callback" via Redfish.
2.Using that Callback level credentials, try to do
"Get" at this URI https://<ip-addr>/redfish/v1/Systems/system
3.output: Forbidden
4.use same URL to login from webUI with callback privilege
https://<ip-addr>/redfish/v1/Systems/system
5.output: Forbidden
Signed-off-by: anil kumar appana <anil.kumarx.appana@intel.com>
Change-Id: I86dac565fc874e5d0fe033640ffc3de576a1f693
diff --git a/redfish-core/include/privileges.hpp b/redfish-core/include/privileges.hpp
index ec6e6a5..113f66a 100644
--- a/redfish-core/include/privileges.hpp
+++ b/redfish-core/include/privileges.hpp
@@ -192,12 +192,18 @@
static Privileges op{"Login", "ConfigureSelf", "ConfigureComponents"};
return op;
}
- else
+ else if (userRole == "priv-user")
{
// Redfish privilege : Readonly
static Privileges readOnly{"Login", "ConfigureSelf"};
return readOnly;
}
+ else
+ {
+ // Redfish Privilege : No privileges for callback users
+ static Privileges noPriv{};
+ return noPriv;
+ }
}
using OperationMap = boost::container::flat_map<boost::beast::http::verb,
diff --git a/redfish-core/lib/roles.hpp b/redfish-core/lib/roles.hpp
index fbe8653..956f566 100644
--- a/redfish-core/lib/roles.hpp
+++ b/redfish-core/lib/roles.hpp
@@ -61,7 +61,7 @@
}
else if (role == "Callback")
{
- privArray = {"Login"};
+ privArray = {};
}
else
{