Merge commit from fork

GHSA-c9p4-xwr9-rfhx authN/authZ creds are added to the request context so that they can be tracked and enforced in the various subsystems. However, it was previously a appended list (incorrectly); consequently, even if the user has been removed from the group configuration, the user could still log in. Signed-off-by: Ramkumar Chinchani <[email protected]>
project-zot · Jan 17, 2025 · 002ac62 · 002ac62
1 parent fba695a
commit 002ac62
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/pkg/meta/boltdb/boltdb.go b/pkg/meta/boltdb/boltdb.go
@@ -1662,7 +1662,7 @@ func (bdw *BoltDB) SetUserGroups(ctx context.Context, groups []string) error {
 			return err
 		}
 
-		userData.Groups = append(userData.Groups, groups...)
+		userData.Groups = groups
 
 		err = bdw.setUserData(userid, tx, userData)
 

diff --git a/pkg/meta/dynamodb/dynamodb.go b/pkg/meta/dynamodb/dynamodb.go
@@ -1647,7 +1647,7 @@ func (dwr DynamoDB) SetUserGroups(ctx context.Context, groups []string) error {
 		return err
 	}
 
-	userData.Groups = append(userData.Groups, groups...)
+	userData.Groups = groups
 
 	return dwr.SetUserData(ctx, userData)
 }