fix(security): require administrator role for user and account management#322
Conversation
…ment The admin surface was gated by a single URL rule allowing both administrators and researchers, so a researcher could reach the user, role, portal and news management endpoints and grant themselves the administrator role, disable accounts, or read other users' details. Restrict those endpoints to administrators at the URL layer and add method-level enforcement on the account management controllers so the restriction does not depend on the URL configuration alone.
hirokiterashima
left a comment
There was a problem hiding this comment.
I don't think there's a need to add the comments in WebSecurityConfig- the code is clear enough.
Also, can you restrict access to those links (find user, enable/disable user, etc) from src/main/webapp/portal/admin/index.jsp using <sec:authorize>?
<sec:authorize access="hasRole('ROLE_ADMINISTRATOR')">
only admin users can see this
</sec:authorize>
| // User, role, portal, news and destructive maintenance endpoints must be | ||
| // restricted to administrators. They were previously reachable by researchers | ||
| // through the broad "/admin/**" rule, which let a researcher grant themselves | ||
| // the administrator role or manage other users' accounts. These more specific | ||
| // rules are listed first so they take precedence over the broader ones below. |
There was a problem hiding this comment.
OK to remove comments.
| // User, role, portal, news and destructive maintenance endpoints must be | |
| // restricted to administrators. They were previously reachable by researchers | |
| // through the broad "/admin/**" rule, which let a researcher grant themselves | |
| // the administrator role or manage other users' accounts. These more specific | |
| // rules are listed first so they take precedence over the broader ones below. |
The user management links in the admin index page pointed at endpoints that now require the administrator role, so a researcher would follow them into a 403. Wrap the whole user management section in <sec:authorize> instead, which also drops the nested check around the logged-in user lists. Require the administrator role for /admin/project/updatesharedprojects as well. The page only drives the /api/admin/project/shared endpoints, which administrators alone may call. Drop the WebSecurityConfig comments; the rules speak for themselves.
|
Thanks for the review. Both addressed in 6c825b1.
Two notes on the I also noticed Unrelated to this PR: |
The admin-only rules for /admin/mergeProjectMetadata and /admin/run/replacebase64withpng.html were exact ant patterns. Spring MVC matches a trailing slash and routes /admin/mergeProjectMetadata/ to the controller, but the ant matcher does not, so the request fell through to the broader /admin/** rule and a researcher reached both endpoints. Match these paths the way Spring MVC matches them, and secure the two controllers directly so the rules are not the only guard.
|
While re-reading the rules I added, I found that two of them could be bypassed, so
I confirmed the matcher behavior with a throwaway test before fixing it: The fix switches that rule from One thing I want to check with you. I put a two line comment above the Two things I noticed but did not touch, since they are outside the scope of this PR. Let me know if you want either as a follow up.
|
Addressed suggestions/issues. We'll keep the comments because they explain the reason for the code.
|
LGTM. Thanks for making those changes. Keeping the two-line comment is fine as it explains why we need the code. It would be great to address the additional issues you raised, especially the first one. |
|
🎉 This PR is included in version 1.21.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Summary
Several user and account management endpoints under
/adminwere reachable by the researcher role through the broad/admin/**rule. A researcher could therefore grant themselves the administrator role or manage other users' accounts. This restricts those endpoints to administrators only.Changes
@Secured("ROLE_ADMINISTRATOR")to the user, role, account, portal and news admin controllers./admin/account/**,/admin/portal/**,/admin/news/**,/admin/mergeProjectMetadata,/admin/run/replacebase64withpng.html,/api/admin/**) require the administrator role. These more specific rules are listed before the broader/admin/**rule so they take precedence. Researchers keep access to the remaining/admin/**endpoints.Testing
mvnw package).securedEnabled = true, so the annotations are active.