Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Method putUserProfile missing a server-side AuthZ check #19764

New issue
New issue
Open
Bug
Open
Method putUserProfile missing a server-side AuthZ check#19764
Bug
Labels
securityArea: security
@jdomeracki-coder

Description

@jdomeracki-coder
jdomeracki-coder
opened on Sep 10, 2025

Summary

Method putUserProfile missing a server-side AuthZ check

Current Behavior

A Member user can make a following PUT request to change their username

curl -X PUT http://coder-server:8080/api/v2/users/{user}/profile \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Coder-Session-Token: API_KEY' \
  --data-raw '{"username":"jdoe","name":"John Doe"}'

https://coder.com/docs/reference/api/users#update-user-profile

This should not be the case as per:
#3286
#3649

Proposed Changes

We should explicitly check if given user has the update_personal permission (ActionUpdatePersonal) granted in their RBAC policy

	if !api.Authorize(r, policy.ActionUpdatePersonal, user) {
		httpapi.ResourceNotFound(rw)
		return
	}

Also this is most likely a bug and policy.ActionUpdatePersonal should be removed from the Member role

coder/coderd/rbac/roles.go

Lines 302 to 304 in d527f91

// Users cannot do create/update/delete on themselves, but they
// can read their own details.
ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},

Metadata

Metadata

Assignees

No one assigned

    Labels

    securityArea: security

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions