loopback

History

Miroslav Bajtoš 3996f56ab9 Fix "POST /change-password" for multi-user setup Fix the code extracting current user id from the access token provided in the HTTP request, to allow only access tokens created by the target user models to execute the action. This fixes the following security vulnerability: * We have two user models, e.g. Admin and Customer * We have an Admin instance and a Customer instance with the same id and the same password. * The Customer can change Admin's password using their regular access token.	2017-10-27 09:47:07 +02:00
..
models	Fix "POST /change-password" for multi-user setup	2017-10-27 09:47:07 +02:00

Fix "POST /change-password" for multi-user setup

Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* We have two user models, e.g. Admin and Customer

* We have an Admin instance and a Customer instance with the same
  id and the same password.

* The Customer can change Admin's password using their
  regular access token.

2017-10-27 09:47:07 +02:00

models

Fix "POST /change-password" for multi-user setup

2017-10-27 09:47:07 +02:00