Skip to content

Commit e3dc0ae

Browse files
will-moorewill-moore
committed
Move conn.updateAdminPrivileges() inside if block
1 parent 0c0c0de commit e3dc0ae

File tree

1 file changed

+4
-2
lines changed
  • components/tools/OmeroWeb/omeroweb/webadmin

1 file changed

+4
-2
lines changed

components/tools/OmeroWeb/omeroweb/webadmin/views.py

+4-2
Original file line numberDiff line numberDiff line change
@@ -588,16 +588,18 @@ def manage_experimenter(request, action, eid=None, conn=None, **kwargs):
588588

589589
# Update 'AdminPrivilege' config roles for user
590590
privileges = conn.get_privileges_from_form(form)
591-
# Only process privileges that we have permission to set
592591
to_add = []
593592
to_remove = []
594593
if privileges is not None:
594+
# Only update privileges that we have permission to set
595+
# (prevents privilege escalation)
595596
for p in conn.getCurrentAdminPrivileges():
596597
if p in privileges:
597598
to_add.append(p)
598599
else:
599600
to_remove.append(p)
600-
conn.updateAdminPrivileges(experimenter.id, to_add, to_remove)
601+
conn.updateAdminPrivileges(experimenter.id,
602+
to_add, to_remove)
601603

602604
conn.updateExperimenter(
603605
experimenter, omename, firstName, lastName, email, admin,

0 commit comments

Comments
 (0)