Merge pull request #1290 from wansir/bug-fix

fix: privilege escalation
2019-11-01 15:10:58 +08:00
parent 6790844340 0177baf916
commit cae0911d46
2 changed files with 11 additions and 4 deletions
--- a/pkg/apiserver/iam/im.go
+++ b/pkg/apiserver/iam/im.go
@@ -160,6 +160,11 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 		}
 	}

+	if usernameInHeader == user.Username {
+		// change cluster role by self is not permitted
+		user.ClusterRole = ""
+	}
+
 	result, err := iam.UpdateUser(&user)

 	if err != nil {
--- a/pkg/models/iam/im.go
+++ b/pkg/models/iam/im.go
@@ -1166,11 +1166,13 @@ func UpdateUser(user *models.User) (*models.User, error) {
 		return nil, err
 	}

-	err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
+	if user.ClusterRole != "" {
+		err = CreateClusterRoleBinding(user.Username, user.ClusterRole)

-	if err != nil {
-		klog.Errorln("create cluster role binding filed", err)
-		return nil, err
+		if err != nil {
+			klog.Errorln(err)
+			return nil, err
+		}
 	}

 	// clear auth failed record