Adding edit rights to specific attributes

Question

Adding edit rights to specific attributes

Closed this issue 3 years ago · 1 comments

Currently, there is no input sanitization when issuing PUT calls to /api/v1/user.
This allows a user (among others) to

update their profile, but also to
edit their API access rights by submitting an attribute "omejdn" with a value of e.g. "admin",

This begs the question of which attributes should be editable by a user. Maybe we should add a blacklist to some config file with attributes that no user should be able to manage themselves. We probably also want to set restrictions on values that can be set at all (e.g. all claims defined in the scope mapping?)

Answer 1 · 2021-10-11T10:30:41.000Z

Yes. User self-service should be a feature. But the attribute that can be self-service'd should be whitelisted explicitly.
Sensitive values (such as API access) should then not be whitelisted at all.
User-serviceable attributes should be non-critical. Such as user (nick) names or alternative email addresses or possibly profile pictures. I think we should not make the restriction on a value-basis and only on a key-basis.