Skip to content

fix(security): require administrator role for user and account management#322

Open
Isaries wants to merge 1 commit into
WISE-Community:developfrom
Isaries:fix/admin-role-authorization
Open

fix(security): require administrator role for user and account management#322
Isaries wants to merge 1 commit into
WISE-Community:developfrom
Isaries:fix/admin-role-authorization

Conversation

@Isaries

@Isaries Isaries commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Several user and account management endpoints under /admin were reachable by the researcher role through the broad /admin/** rule. A researcher could therefore grant themselves the administrator role or manage other users' accounts. This restricts those endpoints to administrators only.

Changes

  • Add @Secured("ROLE_ADMINISTRATOR") to the user, role, account, portal and news admin controllers.
  • Split the authorization rules so the sensitive paths (/admin/account/**, /admin/portal/**, /admin/news/**, /admin/mergeProjectMetadata, /admin/run/replacebase64withpng.html, /api/admin/**) require the administrator role. These more specific rules are listed before the broader /admin/** rule so they take precedence. Researchers keep access to the remaining /admin/** endpoints.

Testing

  • Builds on JDK 17 (mvnw package).
  • Method security is enabled with securedEnabled = true, so the annotations are active.

…ment

The admin surface was gated by a single URL rule allowing both
administrators and researchers, so a researcher could reach the user,
role, portal and news management endpoints and grant themselves the
administrator role, disable accounts, or read other users' details.

Restrict those endpoints to administrators at the URL layer and add
method-level enforcement on the account management controllers so the
restriction does not depend on the URL configuration alone.

@hirokiterashima hirokiterashima left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there's a need to add the comments in WebSecurityConfig- the code is clear enough.

Also, can you restrict access to those links (find user, enable/disable user, etc) from src/main/webapp/portal/admin/index.jsp using <sec:authorize>?

   <sec:authorize access="hasRole('ROLE_ADMINISTRATOR')">
      only admin users can see this
   </sec:authorize>

Comment on lines +89 to +93
// User, role, portal, news and destructive maintenance endpoints must be
// restricted to administrators. They were previously reachable by researchers
// through the broad "/admin/**" rule, which let a researcher grant themselves
// the administrator role or manage other users' accounts. These more specific
// rules are listed first so they take precedence over the broader ones below.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK to remove comments.

Suggested change
// User, role, portal, news and destructive maintenance endpoints must be
// restricted to administrators. They were previously reachable by researchers
// through the broad "/admin/**" rule, which let a researcher grant themselves
// the administrator role or manage other users' accounts. These more specific
// rules are listed first so they take precedence over the broader ones below.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants