Merge commit from fork

rchincha · web-flow · commit 002ac62d8a15 · 2025-01-17T01:52:22.000-08:00
GHSA-c9p4-xwr9-rfhx authN/authZ creds are added to the request context so that they can be tracked and enforced in the various subsystems. However, it was previously a appended list (incorrectly); consequently, even if the user has been removed from the group configuration, the user could still log in. Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
diff --git a/pkg/meta/boltdb/boltdb.go b/pkg/meta/boltdb/boltdb.go
@@ -1662,7 +1662,7 @@ func (bdw *BoltDB) SetUserGroups(ctx context.Context, groups []string) error {
 			return err
 		}
 
-		userData.Groups = append(userData.Groups, groups...)
+		userData.Groups = groups
 
 		err = bdw.setUserData(userid, tx, userData)
 
diff --git a/pkg/meta/dynamodb/dynamodb.go b/pkg/meta/dynamodb/dynamodb.go
@@ -1647,7 +1647,7 @@ func (dwr DynamoDB) SetUserGroups(ctx context.Context, groups []string) error {
 		return err
 	}
 
-	userData.Groups = append(userData.Groups, groups...)
+	userData.Groups = groups
 
 	return dwr.SetUserData(ctx, userData)
 }

Original file line number	Diff line number	Diff line change
`@@ -1662,7 +1662,7 @@ func (bdw *BoltDB) SetUserGroups(ctx context.Context, groups []string) error {`
`1662`	`1662`	`return err`
`1663`	`1663`	`}`
`1664`	`1664`
`1665`		`- userData.Groups = append(userData.Groups, groups...)`
	`1665`	`+ userData.Groups = groups`
`1666`	`1666`
`1667`	`1667`	`err = bdw.setUserData(userid, tx, userData)`
`1668`	`1668`
Original file line number	Diff line number	Diff line change
`@@ -1647,7 +1647,7 @@ func (dwr DynamoDB) SetUserGroups(ctx context.Context, groups []string) error {`
`1647`	`1647`	`return err`
`1648`	`1648`	`}`
`1649`	`1649`
`1650`		`- userData.Groups = append(userData.Groups, groups...)`
	`1650`	`+ userData.Groups = groups`
`1651`	`1651`
`1652`	`1652`	`return dwr.SetUserData(ctx, userData)`
`1653`	`1653`	`}`