# HG changeset patch # User Marcin Lulek # Date 2017-10-08 21:31:45 # Node ID aefa7aacdb97acbb9f8f9369b18de45634d3a948 # Parent ea1af41c3f461c2f79fde775b953d1d53f905b48 auth: don't expose full set of permissions into channelstream payload. This leads to resource discovery security vulnerability diff --git a/rhodecode/apps/channelstream/views.py b/rhodecode/apps/channelstream/views.py --- a/rhodecode/apps/channelstream/views.py +++ b/rhodecode/apps/channelstream/views.py @@ -71,6 +71,7 @@ class ChannelstreamView(object): except Exception: log.exception('Failed to decode json from request') raise HTTPBadRequest() + try: channels = check_channel_permissions( json_body.get('channels'), @@ -92,7 +93,7 @@ class ChannelstreamView(object): 'display_name': None, 'display_link': None, } - user_data['permissions'] = self._rhodecode_user.permissions + user_data['permissions'] = self._rhodecode_user.permissions_safe payload = { 'username': user.username, 'user_state': user_data, diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py --- a/rhodecode/lib/auth.py +++ b/rhodecode/lib/auth.py @@ -944,6 +944,24 @@ class AuthUser(object): return self.get_perms(user=self, cache=False) @LazyProperty + def permissions_safe(self): + """ + Filtered permissions excluding not allowed repositories + """ + perms = self.get_perms(user=self, cache=False) + + perms['repositories'] = { + k: v for k, v in perms['repositories'].iteritems() + if v != 'repository.none'} + perms['repositories_groups'] = { + k: v for k, v in perms['repositories_groups'].iteritems() + if v != 'group.none'} + perms['user_groups'] = { + k: v for k, v in perms['user_groups'].iteritems() + if v != 'usergroup.none'} + return perms + + @LazyProperty def permissions_full_details(self): return self.get_perms( user=self, cache=False, calculate_super_admin=True)