Change ManagerAccount privileges to match registry
As the comment (being deleted in this patchset) says this is an odd
privilege level to have, and doesn't actually match the Redfish
Privilege registry. Now that we're no longer tied to the router to make
privilege decisions, this hack can be removed. This should have no
functional impact, as all users have Login Privilege, and we can now
properly filter users that don't have ConfigureSelf, without having to
rely on a single privilege set.
Tested:
Ran redfish service validator on last patchset in this series; No new
failures (UUID has failures on my system, should be unrelated)
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I0a04ff9001f9045d66e3778f04f3eec4b4ff2ec6
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 4c639ad..582f781 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1366,13 +1366,7 @@
});
BMCWEB_ROUTE(app, "/redfish/v1/AccountService/Accounts/")
- // According to the PrivilegeRegistry, GET should actually be
- // "Login". A "Login" only privilege would return an empty "Members"
- // list. Not going to worry about this since none of the defined
- // roles are just "Login". E.g. Readonly is {"Login",
- // "ConfigureSelf"}. In the rare event anyone defines a role that
- // has Login but not ConfigureSelf, implement this.
- .privileges({{"ConfigureUsers"}, {"ConfigureSelf"}})
+ .privileges({{"Login"}})
.methods(boost::beast::http::verb::get)(
[](const crow::Request& req,
const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) -> void {
@@ -1383,26 +1377,29 @@
{"Name", "Accounts Collection"},
{"Description", "BMC User Accounts"}};
- Privileges requiredPermissionsToSeeNonSelf = {
- {"ConfigureUsers"}};
Privileges effectiveUserPrivileges =
redfish::getUserPrivileges(req.userRole);
- bool userCanSeeAllAccounts =
- effectiveUserPrivileges.isSupersetOf(
- requiredPermissionsToSeeNonSelf);
std::string thisUser = req.session->username;
crow::connections::systemBus->async_method_call(
- [asyncResp, userCanSeeAllAccounts,
- thisUser](const boost::system::error_code ec,
- const ManagedObjectType& users) {
+ [asyncResp, thisUser, effectiveUserPrivileges](
+ const boost::system::error_code ec,
+ const ManagedObjectType& users) {
if (ec)
{
messages::internalError(asyncResp->res);
return;
}
+ bool userCanSeeAllAccounts =
+ effectiveUserPrivileges.isSupersetOf(
+ {{"ConfigureUsers"}});
+
+ bool userCanSeeSelf =
+ effectiveUserPrivileges.isSupersetOf(
+ {{"ConfigureSelf"}});
+
nlohmann::json& memberArray =
asyncResp->res.jsonValue["Members"];
memberArray = nlohmann::json::array();
@@ -1423,7 +1420,8 @@
// Users without ConfigureUsers, only see their own
// account. Users with ConfigureUsers, see all
// accounts.
- if (thisUser == user || userCanSeeAllAccounts)
+ if (userCanSeeAllAccounts ||
+ (thisUser == user && userCanSeeSelf))
{
memberArray.push_back(
{{"@odata.id",