Headline
CVE-2023-1541: fix(admin): add restriction about admin modify their password · answerdev/answer@15390ad
Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.
@@ -153,6 +153,10 @@ func (us *UserAdminService) AddUser(ctx context.Context, req *schema.AddUserReq)
// UpdateUserPassword update user password
func (us *UserAdminService) UpdateUserPassword(ctx context.Context, req *schema.UpdateUserPasswordReq) (err error) {
// Users cannot modify their password
if req.UserID == req.LoginUserID {
return errors.BadRequest(reason.AdminCannotUpdateTheirPassword)
}
userInfo, exist, err := us.userRepo.GetUserInfo(ctx, req.UserID)
if err != nil {
return err
Related news
GHSA-h2wg-83fc-xvm9: Answer vulnerable to Business Logic Errors
Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.