Fix #8323: GenerateToken can overwrite any relations that user may have (#9091)

Co-authored-by: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com>
2025-10-31 02:29:03 +00:00 · 2022-12-01 01:51:32 -08:00 · 2022-12-01 01:51:32 -08:00 · db91a2e1d5
commit db91a2e1d5
parent 0050243479
2 changed files with 7 additions and 3 deletions
--- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java
@ -567,7 +567,7 @@ public class UserResource extends EntityResource<User, UserRepository> {
      @Valid GenerateTokenRequest generateTokenRequest)
      throws IOException {
    authorizer.authorizeAdmin(securityContext);
-    User user = dao.get(uriInfo, id, Fields.EMPTY_FIELDS);
+    User user = dao.get(uriInfo, id, dao.getFieldsWithUserAuth("*"));
    JWTAuthMechanism jwtAuthMechanism =
        jwtTokenGenerator.generateJWTToken(user, generateTokenRequest.getJWTTokenExpiry());
    AuthenticationMechanism authenticationMechanism =
@ -598,7 +598,7 @@ public class UserResource extends EntityResource<User, UserRepository> {
      @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid RevokeTokenRequest revokeTokenRequest)
      throws IOException {
    authorizer.authorizeAdmin(securityContext);
-    User user = dao.get(uriInfo, revokeTokenRequest.getId(), Fields.EMPTY_FIELDS);
+    User user = dao.get(uriInfo, revokeTokenRequest.getId(), dao.getFieldsWithUserAuth("*"));
    if (!user.getIsBot()) {
      throw new IllegalStateException(CatalogExceptionMessage.invalidBotUser());
    }
--- a/openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java
+++ b/openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java
@ -693,15 +693,19 @@ public class UserResourceTest extends EntityResourceTest<User, CreateUser> {
    CreateUser create =
        createBotUserRequest("ingestion-bot-jwt")
            .withEmail("ingestion-bot-jwt@email.com")
+            .withRoles(List.of(ROLE1_REF.getId()))
            .withAuthenticationMechanism(authMechanism);
    User user = createEntity(create, authHeaders("ingestion-bot-jwt@email.com"));
+    user = getEntity(user.getId(), "*", ADMIN_AUTH_HEADERS);
+    assertEquals(user.getRoles().size(), 1);
    TestUtils.put(
        getResource(String.format("users/generateToken/%s", user.getId())),
        new GenerateTokenRequest().withJWTTokenExpiry(JWTTokenExpiry.Seven),
        OK,
        ADMIN_AUTH_HEADERS);
-    user = getEntity(user.getId(), ADMIN_AUTH_HEADERS);
+    user = getEntity(user.getId(), "*", ADMIN_AUTH_HEADERS);
    assertNull(user.getAuthenticationMechanism());
+    assertEquals(user.getRoles().size(), 1);
    JWTAuthMechanism jwtAuthMechanism =
        TestUtils.get(
            getResource(String.format("users/token/%s", user.getId())), JWTAuthMechanism.class, ADMIN_AUTH_HEADERS);