Skip to content

fix: let normal users access their information in the v3 API#445

Open
alemar99 wants to merge 4 commits into
canonical:3.7from
alemar99:fix-lp-2148485-3.7
Open

fix: let normal users access their information in the v3 API#445
alemar99 wants to merge 4 commits into
canonical:3.7from
alemar99:fix-lp-2148485-3.7

Conversation

@alemar99

@alemar99 alemar99 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Resolves: LP:2148485

@alemar99 alemar99 added the 3.7 label Jul 9, 2026
@maas-lander

Copy link
Copy Markdown
Collaborator

Check where you would like a Mattermost message to be sent to when CI completes and this PR is merged

  • Direct message
  • ~maas

@alemar99 alemar99 added the bug label Jul 9, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[maas-code-reviewer review]

LLM-generated review from https://github.com/canonical/maas-code-reviewer.
Intended to assist a human reviewer, not replace one — suggestions may be
incorrect, please verify before acting.

Overall, the logic to restrict non-admin users from viewing or updating other users correctly raises a 404 (preventing user enumeration) instead of a 403. However, there is a critical security vulnerability: non-admin users can escalate their privileges by setting is_superuser=True when updating their own profile.

Make sure to add authorization checks inside update_user to restrict which fields a non-admin user can update, or separate the models for admin updates and user self-updates.

Comment thread src/maasapiserver/v3/api/public/handlers/users.py
assert response.status_code == 200
assert len(response.headers["ETag"]) > 0
user_response = UserResponse(**response.json())
assert user_response.id == 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor readability issue: The test requests user ID 0 (line 271), but asserts that the response has user ID 1. This happens because USER_1 is hardcoded to id=1. While functionally correct since the mock just returns what it's told, it makes the test logic confusing. Consider returning a mock user with id=0 instead.

Comment thread src/tests/maasapiserver/v3/api/public/handlers/test_users.py
@alemar99 alemar99 marked this pull request as draft July 9, 2026 10:57
@alemar99 alemar99 marked this pull request as ready for review July 9, 2026 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants