This is an automated email from the ASF dual-hosted git repository. dineshkumar pushed a commit to branch sandbox/dineshkumar-yadav/RANGER-5342 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit a4a2a50af35786e9fd37010b847e30beb756a804 Author: Dineshkumar Yadav <[email protected]> AuthorDate: Sat Sep 27 09:58:58 2025 +0530 RANGER-5342: USER-role users with names similar to admin or keyadmin can query those admin/keyadmin users. --- security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 03b762c69..da3e1bc26 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -457,6 +457,11 @@ public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam( hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + boolean hasOnlyUserRole = userRolesList.size() == 1 && userRolesList.contains(RangerConstants.ROLE_USER); + if (!hasOnlyUserRole || !RangerConstants.ROLE_USER.equals(userRole)) { + throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); + } + logger.info("Logged-In user having user role will be able to fetch his own user details."); if (!searchCriteria.getParamList().containsKey("name")) {
