Normal users should not be able to create/end leases for other people #137
Labels
bug
Something isn't working
Comments
|
Related CLI Issue: Optum/dce-cli#37 |
|
For sure. We should probably step back and look at a authorization strategy for all our endpoints.... |
|
agreed. Users when creating a lease shouldn't provide their principal. Admins should be able to override that value. I think these are things that get easier to do when we getting some of the code changes in. |
|
and a security oriented review |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
While authenticating with temporary sts credentials mapped to a cognito user called
testuser, I observed the following behavior.~ dce leases create --budget-amount 100.0 --budget-currency USD --email jane.doe@optum.com --principle-id jdoe99 Lease created: {"accountId":"XXX","budgetAmount":100,"budgetCurrency":"USD","budgetNotificationEmails":["jane.doe@optum.com"],"createdOn":1574347343,"expiresOn":1574952143,"id":"d7586b82-2b57-4ba0-9469-ba59d865e823","lastModifiedOn":1574347343,"leaseStatus":"Active","leaseStatusModifiedOn":1574347343,"leaseStatusReason":"Active","principalId":"jdoe99"} ~ dce leases end --account-id XXX --principle-id jdoe99 Lease endedDescribe the solution you'd like
Respond with 403 for any leases requests involving a principaID that is not your own.
The text was updated successfully, but these errors were encountered: