Skip to content

fix(security): require administrator role for user and account management#322

Open
Isaries wants to merge 1 commit into
WISE-Community:developfrom
Isaries:fix/admin-role-authorization
Open

fix(security): require administrator role for user and account management#322
Isaries wants to merge 1 commit into
WISE-Community:developfrom
Isaries:fix/admin-role-authorization

Conversation

@Isaries

@Isaries Isaries commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Several user and account management endpoints under /admin were reachable by the researcher role through the broad /admin/** rule. A researcher could therefore grant themselves the administrator role or manage other users' accounts. This restricts those endpoints to administrators only.

Changes

  • Add @Secured("ROLE_ADMINISTRATOR") to the user, role, account, portal and news admin controllers.
  • Split the authorization rules so the sensitive paths (/admin/account/**, /admin/portal/**, /admin/news/**, /admin/mergeProjectMetadata, /admin/run/replacebase64withpng.html, /api/admin/**) require the administrator role. These more specific rules are listed before the broader /admin/** rule so they take precedence. Researchers keep access to the remaining /admin/** endpoints.

Testing

  • Builds on JDK 17 (mvnw package).
  • Method security is enabled with securedEnabled = true, so the annotations are active.

…ment

The admin surface was gated by a single URL rule allowing both
administrators and researchers, so a researcher could reach the user,
role, portal and news management endpoints and grant themselves the
administrator role, disable accounts, or read other users' details.

Restrict those endpoints to administrators at the URL layer and add
method-level enforcement on the account management controllers so the
restriction does not depend on the URL configuration alone.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant