zimfarm icon indicating copy to clipboard operation
zimfarm copied to clipboard

Published 20 hours ago verified publisher icon openzim

Workers can impersonate one another

Open benoit74 opened this issue 1 year ago • 3 comments

Problem

The endpoint /worker/{name}/check-in requires an authenticated user but nothing more.

Expected behavior

The endpoint should requires an authenticated user with appropriate rights, and for workers the authenticated user id must match the worker user id (a worker should not be allowed to check-in for another one, could cause serious problems/bugs).

Proposition

  • create a new role WorkerPermissions with two names : "checkin-all" (checkin for any worker) and "checkin-self" (checkin only for yourself)
  • in the "ROLES" map, grant the "checkin-all" to admins (+ managers ?) + grant the "checkin-self" to workers
  • update existing users scope in DB
  • check these permissions in the checkin endpoint code

benoit74 avatar Apr 14 '23 13:04 benoit74