Fix user listing access control (#1546)

Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com>
2025-04-24 13:48:49 +08:00 · 2022-01-19 16:46:10 +01:00 · 2022-01-19 16:46:10 +01:00 · bcc8cf7119
commit bcc8cf7119
parent d86a4dee92
2 changed files with 7 additions and 2 deletions
--- a/api/users.yml
+++ b/api/users.yml
@ -46,7 +46,9 @@ paths:
        '400':
          description: Failed due to malformed query parameters.
        '401':
-          description: Missing or invalid access token provided.
+          description: |
+            Missing or invalid access token provided.
+            This endpoint is available only for administrators.
        '404':
          description: A non-existent entity request.
        '422':
--- a/users/service.go
+++ b/users/service.go
@ -251,11 +251,14 @@ func (svc usersService) ViewProfile(ctx context.Context, token string) (User, er
 }

 func (svc usersService) ListUsers(ctx context.Context, token string, offset, limit uint64, email string, m Metadata) (UserPage, error) {
-	_, err := svc.identify(ctx, token)
+	id, err := svc.identify(ctx, token)
 	if err != nil {
 		return UserPage{}, err
 	}

+	if err := svc.authorize(ctx, id.id, "authorities", "member"); err != nil {
+		return UserPage{}, errors.Wrap(ErrUnauthorizedAccess, err)
+	}
 	return svc.users.RetrieveAll(ctx, offset, limit, nil, email, m)
 }