gromov/casdoor
1
0
Fork 0
forked from casdoor/casdoor
Code Pull Requests Actions Packages Releases Activity

feat: improve objOwner check

Browse Source
This commit is contained in:
Yang Luo
2026-04-08 23:17:54 +08:00
parent 315a6bb040
commit 10daed237e
2 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
authz/authz.go
View File

@@ -179,7 +179,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
return true
}
if user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
if user.IsAdmin && subOwner == objOwner {
return true
}
}

13
routers/authz_filter.go
View File

@@ -141,6 +141,19 @@ func getObject(ctx *context.Context) (string, string, error) {
}
}
// For non-GET requests, if the `id` query param is present it is the
// authoritative identifier of the object being operated on. Use it
// instead of the request body so that an attacker cannot spoof the
// object owner by injecting "owner":"admin" (or any other value) into
// the request body while pointing the URL at a different organization's
// resource.
if id := ctx.Input.Query("id"); id != "" {
owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
if err == nil {
return owner, name, nil
}
}
body := ctx.Input.RequestBody
if len(body) == 0 {
return ctx.Request.Form.Get("owner"), ctx.Request.Form.Get("name"), nil