Skip to content

fix bug: user can create user without permission #21958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 5, 2025
Merged

fix bug: user can create user without permission #21958

merged 2 commits into from
Jun 5, 2025

Conversation

ouyuanning
Copy link
Contributor

@ouyuanning ouyuanning commented Jun 5, 2025
edited by qodo-merge-pro bot
Loading

User description

What type of PR is this?

  • API-change
  • BUG
  • Improvement
  • Documentation
  • Feature
  • Test and CI
  • Code Refactoring

Which issue(s) this PR fixes:

issue #21920

What this PR does / why we need it:

fix bug: user can create user without permission

PR Type

Bug fix, Tests

Description

  • Fix privilege check to prevent unauthorized user creation

  • Update tests to verify user creation privilege enforcement

  • Add scenarios for account and role-based user creation

Changes walkthrough 📝

Relevant files
Bug fix
authenticate2.go
Enforce privilege check for user creation                               

pkg/frontend/authenticate2.go

  • Explicitly set yes = false for
    PrivilegeTypeCanGrantRoleToOthersInCreateUser
  • Ensures users without proper privilege cannot create users
  • Minor formatting/comment updates in privilege checking logic
    		• +21/-20 
    Tests
    create_user_default_role.result
    Update test results for user creation privilege checks     

    test/distributed/cases/tenant/privilege/create_user_default_role.result

  • Add test results for new account and user creation scenarios
  • Show expected internal error when lacking privilege
  • Reflects stricter privilege enforcement in test outputs
    		• +10/-0   
    create_user_default_role.sql
    Add and update SQL tests for user creation privilege         

    test/distributed/cases/tenant/privilege/create_user_default_role.sql

  • Add SQL tests for account, role, and user creation flows
  • Test user creation with and without proper privileges
  • Include session changes to simulate different user contexts
    		• +13/-0   
    Need help?
  • Type /help how to ... in the comments thread for any questions about Qodo Merge usage.
  • Check out the documentation for more information.
    •

    @qodo-merge-pro Qodo Merge Pro
    Copy link

    qodo-merge-pro bot commented Jun 5, 2025

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 PR contains tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Privilege Enforcement

    The PR sets yes = false for the PrivilegeTypeCanGrantRoleToOthersInCreateUser privilege check, but the commented-out code suggests there might have been a more nuanced implementation planned. Verify this is the intended behavior rather than a temporary fix.

     
    	yes = false
} else {

    @matrix-meow matrix-meow added the size/S Denotes a PR that changes [10,99] lines label Jun 5, 2025
    @mergify mergify bot added the kind/bug Something isn't working label Jun 5, 2025
    @qodo-merge-pro Qodo Merge Pro
    Copy link

    qodo-merge-pro bot commented Jun 5, 2025

    PR Code Suggestions ✨

    No code suggestions found for the PR.

    @mergify mergify bot merged commit 4867f5b into matrixorigin:main Jun 5, 2025
    18 checks passed
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @daviszhen daviszhen daviszhen approved these changes

    @heni02 heni02 heni02 approved these changes

    @qingxinhome qingxinhome Awaiting requested review from qingxinhome

    @aressu1985 aressu1985 Awaiting requested review from aressu1985

    Assignees
    No one assigned
    Labels
    kind/bug Something isn't working Review effort 2/5 size/S Denotes a PR that changes [10,99] lines
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    4 participants
    @ouyuanning @daviszhen @heni02 @matrix-meow