[bugfix] security: fix check grant god when FLAGS_enable_authorize is…

… false
vesoft-inc · Nov 9, 2022 · 756f0ca · 756f0ca
1 parent d9c4a6c
commit 756f0ca
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/src/graph/service/PermissionManager.cpp b/src/graph/service/PermissionManager.cpp
@@ -133,25 +133,26 @@ Status PermissionManager::canWriteRole(ClientSession *session,
                                        meta::cpp2::RoleType targetRole,
                                        GraphSpaceID spaceId,
                                        const std::string &targetUser) {
-  if (!FLAGS_enable_authorize) {
-    return Status::OK();
+  // Some check should be done no matter FLAGS_enable_authorize is true or false
+  // Check 1. Reject any user grant or revoke role to GOD,
+  if (targetRole == meta::cpp2::RoleType::GOD) {
+    return Status::PermissionError("No permission to grant/revoke god user.");
   }
-  // Cloud auth user cannot grant role
+
+  // Check 2. Cloud auth user cannot grant role
   if (FLAGS_auth_type == "cloud") {
     return Status::PermissionError("Cloud authenticate user can't write role.");
   }
+
+  if (!FLAGS_enable_authorize) {
+    return Status::OK();
+  }
   /**
    * Reject grant or revoke to himself.
    */
   if (session->user() == targetUser) {
     return Status::PermissionError("No permission to grant/revoke yourself.");
   }
-  /*
-   * Reject any user grant or revoke role to GOD
-   */
-  if (targetRole == meta::cpp2::RoleType::GOD) {
-    return Status::PermissionError("No permission to grant/revoke god user.");
-  }
   /*
    * God user can be grant or revoke any one.
    */