user-util REST endpoint may grant more rights than requested

Steps to reproduce

Have a look at the user-utils endpoint docs (POST method):
http://octestallinone.virtuos.uos.de:8080/docs.html?path=/user-utils

[…]

Now I tried to circumvent the problem by sending more data. I found
that not omitting the roles fixed the problem and would create a user:

curl -i -f --digest -u opencast_system_account:CHANGE_ME \
-H "X-Requested-Auth: Digest"
http://octestallinone.virtuos.uos.de:8080/user-utils/ -F
username=123 -F password=b -F 'roles='

But now, when I had a look at what was actually created:

curl -f --digest -u opencast_system_account:CHANGE_ME \
-H "X-Requested-Auth: Digest"
http://octestallinone.virtuos.uos.de:8080/user-utils/users.json

…you will get something like:

{
username: "123",
provider: "matterhorn",
manageable: true,
roles: {
role: {
name: "ROLE_ANONYMOUS",
organization: {...}
}
},
organization: {...}
}

Wait, what? Why did I get a role assigned to me without specifying
one? That is security relevant.

Assignee

Lars Kiesow

Reporter

Lars Kiesow

Severity

Security

Tags (folksonomy)

None

Components

Fix versions

Affects versions

Priority

Blocker
Configure