#408 Fix a typo on user roles patch API, producing a security issue

TheHive-Project · May 22, 2019 · 9483b9b · 9483b9b
1 parent 55e745f
commit 9483b9b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/thehive-backend/app/controllers/UserCtrl.scala b/thehive-backend/app/controllers/UserCtrl.scala
@@ -52,7 +52,7 @@ class UserCtrl @Inject() (
       else if (request.body.contains("key")) {
         Future.failed(AuthorizationError("You must use dedicated API (renewKey, removeKey) to update key"))
       }
-      else if (request.body.contains("role") && !request.authContext.roles.contains(Roles.admin)) {
+      else if (request.body.contains("roles") && !request.authContext.roles.contains(Roles.admin)) {
         Future.failed(AuthorizationError("You are not permitted to change user role"))
       }
       else if (request.body.contains("status") && !request.authContext.roles.contains(Roles.admin)) {