user-util REST endpoint may grant more rights than requested

Steps to reproduce

Have a look at the user-utils endpoint docs (POST method):
http://octestallinone.virtuos.uos.de:8080/docs.html?path=/user-utils

[…]

Now I tried to circumvent the problem by sending more data. I found
that not omitting the roles fixed the problem and would create a user:

curl -i -f --digest -u opencast_system_account:CHANGE_ME \
-H "X-Requested-Auth: Digest"
http://octestallinone.virtuos.uos.de:8080/user-utils/ -F
username=123 -F password=b -F 'roles='

But now, when I had a look at what was actually created:

curl -f --digest -u opencast_system_account:CHANGE_ME \
-H "X-Requested-Auth: Digest"
http://octestallinone.virtuos.uos.de:8080/user-utils/users.json

…you will get something like:

{
username: "123",
provider: "matterhorn",
manageable: true,
roles: {
role: {
name: "ROLE_ANONYMOUS",
organization: {...}
}
},
organization: {...}
}

Wait, what? Why did I get a role assigned to me without specifying
one? That is security relevant.

Status

Assignee

Lars Kiesow

Reporter

Lars Kiesow

Severity

Security

Tags (folksonomy)

None

Components

Fix versions

Affects versions

2.1.0
2.0.1

Priority

Blocker
Configure