From 002ac62d8a15bf0cba010b3ba7bde86f9837b613 Mon Sep 17 00:00:00 2001 From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com> Date: Fri, 17 Jan 2025 01:52:22 -0800 Subject: [PATCH] Merge commit from fork GHSA-c9p4-xwr9-rfhx authN/authZ creds are added to the request context so that they can be tracked and enforced in the various subsystems. However, it was previously a appended list (incorrectly); consequently, even if the user has been removed from the group configuration, the user could still log in. Signed-off-by: Ramkumar Chinchani --- pkg/meta/boltdb/boltdb.go | 2 +- pkg/meta/dynamodb/dynamodb.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/meta/boltdb/boltdb.go b/pkg/meta/boltdb/boltdb.go index d7ee08f3..d357c8dd 100644 --- a/pkg/meta/boltdb/boltdb.go +++ b/pkg/meta/boltdb/boltdb.go @@ -1662,7 +1662,7 @@ func (bdw *BoltDB) SetUserGroups(ctx context.Context, groups []string) error { return err } - userData.Groups = append(userData.Groups, groups...) + userData.Groups = groups err = bdw.setUserData(userid, tx, userData) diff --git a/pkg/meta/dynamodb/dynamodb.go b/pkg/meta/dynamodb/dynamodb.go index 5357d012..7d97ef05 100644 --- a/pkg/meta/dynamodb/dynamodb.go +++ b/pkg/meta/dynamodb/dynamodb.go @@ -1647,7 +1647,7 @@ func (dwr DynamoDB) SetUserGroups(ctx context.Context, groups []string) error { return err } - userData.Groups = append(userData.Groups, groups...) + userData.Groups = groups return dwr.SetUserData(ctx, userData) }