mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 20:47:01 +01:00
increase severity for "{:?} !⊆ allowed: {:?}" (#2648)
Co-authored-by: Firstyear <william@blackhats.net.au>
This commit is contained in:
Vladimir Dronnikov
GitHub
parent
a0357ad227
commit
45f26888be
|
|
@ -140,8 +140,8 @@ fn create_filter_entry<'a>(
|
||||||
let allowed_classes: BTreeSet<&str> = accr.acp.classes.iter().map(|s| s.as_str()).collect();
|
let allowed_classes: BTreeSet<&str> = accr.acp.classes.iter().map(|s| s.as_str()).collect();
|
||||||
|
|
||||||
if !create_attrs.is_subset(&allowed_attrs) {
|
if !create_attrs.is_subset(&allowed_attrs) {
|
||||||
security_access!("create_attrs is not a subset of allowed");
|
security_error!("create_attrs is not a subset of allowed");
|
||||||
security_access!("create: {:?} !⊆ allowed: {:?}", create_attrs, allowed_attrs);
|
security_error!("create: {:?} !⊆ allowed: {:?}", create_attrs, allowed_attrs);
|
||||||
false
|
false
|
||||||
} else if !create_classes.is_subset(&allowed_classes) {
|
} else if !create_classes.is_subset(&allowed_classes) {
|
||||||
security_error!("create_classes is not a subset of allowed");
|
security_error!("create_classes is not a subset of allowed");
|
||||||
|
|
|
||||||
|
|
@ -484,24 +484,24 @@ pub trait AccessControlsTransaction<'a> {
|
||||||
ModifyResult::Grant => true,
|
ModifyResult::Grant => true,
|
||||||
ModifyResult::Allow { pres, rem, cls } => {
|
ModifyResult::Allow { pres, rem, cls } => {
|
||||||
if !requested_pres.is_subset(&pres) {
|
if !requested_pres.is_subset(&pres) {
|
||||||
security_access!("requested_pres is not a subset of allowed");
|
security_error!("requested_pres is not a subset of allowed");
|
||||||
security_access!(
|
security_error!(
|
||||||
"requested_pres: {:?} !⊆ allowed: {:?}",
|
"requested_pres: {:?} !⊆ allowed: {:?}",
|
||||||
requested_pres,
|
requested_pres,
|
||||||
pres
|
pres
|
||||||
);
|
);
|
||||||
false
|
false
|
||||||
} else if !requested_rem.is_subset(&rem) {
|
} else if !requested_rem.is_subset(&rem) {
|
||||||
security_access!("requested_rem is not a subset of allowed");
|
security_error!("requested_rem is not a subset of allowed");
|
||||||
security_access!(
|
security_error!(
|
||||||
"requested_rem: {:?} !⊆ allowed: {:?}",
|
"requested_rem: {:?} !⊆ allowed: {:?}",
|
||||||
requested_rem,
|
requested_rem,
|
||||||
rem
|
rem
|
||||||
);
|
);
|
||||||
false
|
false
|
||||||
} else if !requested_classes.is_subset(&cls) {
|
} else if !requested_classes.is_subset(&cls) {
|
||||||
security_access!("requested_classes is not a subset of allowed");
|
security_error!("requested_classes is not a subset of allowed");
|
||||||
security_access!(
|
security_error!(
|
||||||
"requested_classes: {:?} !⊆ allowed: {:?}",
|
"requested_classes: {:?} !⊆ allowed: {:?}",
|
||||||
requested_classes,
|
requested_classes,
|
||||||
cls
|
cls
|
||||||
|
|
@ -617,24 +617,24 @@ pub trait AccessControlsTransaction<'a> {
|
||||||
ModifyResult::Grant => true,
|
ModifyResult::Grant => true,
|
||||||
ModifyResult::Allow { pres, rem, cls } => {
|
ModifyResult::Allow { pres, rem, cls } => {
|
||||||
if !requested_pres.is_subset(&pres) {
|
if !requested_pres.is_subset(&pres) {
|
||||||
security_access!("requested_pres is not a subset of allowed");
|
security_error!("requested_pres is not a subset of allowed");
|
||||||
security_access!(
|
security_error!(
|
||||||
"requested_pres: {:?} !⊆ allowed: {:?}",
|
"requested_pres: {:?} !⊆ allowed: {:?}",
|
||||||
requested_pres,
|
requested_pres,
|
||||||
pres
|
pres
|
||||||
);
|
);
|
||||||
false
|
false
|
||||||
} else if !requested_rem.is_subset(&rem) {
|
} else if !requested_rem.is_subset(&rem) {
|
||||||
security_access!("requested_rem is not a subset of allowed");
|
security_error!("requested_rem is not a subset of allowed");
|
||||||
security_access!(
|
security_error!(
|
||||||
"requested_rem: {:?} !⊆ allowed: {:?}",
|
"requested_rem: {:?} !⊆ allowed: {:?}",
|
||||||
requested_rem,
|
requested_rem,
|
||||||
rem
|
rem
|
||||||
);
|
);
|
||||||
false
|
false
|
||||||
} else if !requested_classes.is_subset(&cls) {
|
} else if !requested_classes.is_subset(&cls) {
|
||||||
security_access!("requested_classes is not a subset of allowed");
|
security_error!("requested_classes is not a subset of allowed");
|
||||||
security_access!(
|
security_error!(
|
||||||
"requested_classes: {:?} !⊆ allowed: {:?}",
|
"requested_classes: {:?} !⊆ allowed: {:?}",
|
||||||
requested_classes,
|
requested_classes,
|
||||||
cls
|
cls
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue