Bug: deleting a usr could revoke good tokens.

2025-10-30 18:27:49 +00:00 · 2021-10-27 12:16:15 -07:00
parent 8ff25257ca
commit 56308dfa5e
4 changed files with 8 additions and 16 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-6
+8
--- a/src/AuthService.cpp
+++ b/src/AuthService.cpp
@@ -103,7 +103,7 @@ namespace OpenWifi {

        for(auto i=UserCache_.begin();i!=UserCache_.end();) {
            if (i->second.userinfo.email==UserName) {
-                Logout(i->first);
+                Logout(i->first, false);
                i = UserCache_.erase(i);
            } else {
                ++i;
@@ -120,10 +120,11 @@ namespace OpenWifi {
        return std::regex_match(Password, PasswordValidation_);
    }

-    void AuthService::Logout(const std::string &token) {
+    void AuthService::Logout(const std::string &token, bool EraseFromCache) {
 		std::lock_guard		Guard(Mutex_);

-		UserCache_.erase(token);
+		if(EraseFromCache)
+		    UserCache_.erase(token);

        try {
            Poco::JSON::Object Obj;
--- a/src/AuthService.h
+++ b/src/AuthService.h
@@ -69,7 +69,7 @@ namespace OpenWifi{
        [[nodiscard]] bool ValidateToken(const std::string & Token, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UserInfo  );
        [[nodiscard]] bool SetPassword(const std::string &Password, SecurityObjects::UserInfo & UInfo);
        [[nodiscard]] const std:: string & PasswordValidationExpression() const { return PasswordValidationStr_;};
-        void Logout(const std::string &token);
+        void Logout(const std::string &token, bool EraseFromCache=true);

        bool ValidatePassword(const std::string &pwd);

--- a/src/framework/MicroService.h
+++ b/src/framework/MicroService.h
@@ -1262,7 +1262,7 @@ namespace OpenWifi {
 	    RESTAPIHandler(BindingMap map, Poco::Logger &l, std::vector<std::string> Methods, RESTAPI_GenericServer & Server, bool Internal=false, bool AlwaysAuthorize=true)
 	    : Bindings_(std::move(map)), Logger_(l), Methods_(std::move(Methods)), Server_(Server), Internal_(Internal), AlwaysAuthorize_(AlwaysAuthorize) {}

-	    inline bool RoleIsAuthorized(std::string & Reason) {
+	    inline bool RoleIsAuthorized(const std::string & Path, const std::string & Method, std::string & Reason) {
 	        return true;
 	    }

@@ -1280,7 +1280,7 @@ namespace OpenWifi {
 	            }

 	            std::string Reason;
-	            if(!RoleIsAuthorized(Reason)) {
+	            if(!RoleIsAuthorized(RequestIn.getURI(), Request->getMethod(), Reason)) {
                    UnAuthorized(Reason);
                    return;
 	            }
@@ -3095,15 +3095,6 @@ namespace OpenWifi {
                                                  Internal) {}
                                                  static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/system"};}

-        bool RoleIsAuthorized(std::string & Reason) {
-	        if( UserInfo_.userinfo.userRole != SecurityObjects::USER_ROLE::ROOT &&
-	            UserInfo_.userinfo.userRole != SecurityObjects::USER_ROLE::ADMIN ) {
-	            Reason = "User must be ADMIN/ROOT to perform this operation.";
-	            return false;
-	        }
-	        return true;
-	    }
-
        inline void DoGet() {
 	        std::string Arg;
 	        if(HasParameter("command",Arg) && Arg=="info") {