CHEF-2649: Only allow admin clients to create admins (not validators)

7a095973 · Bryan McLellan · faad1a96 · 7a095973
Commit 7a095973 authored Oct 29, 2011 by Bryan McLellan
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 7 deletions

chef-server-api/app/controllers/clients.rb chef-server-api/app/controllers/clients.rb +7 -7

No files found.
--- a/chef-server-api/app/controllers/clients.rb
+++ b/chef-server-api/app/controllers/clients.rb
@@ -49,13 +49,13 @@ class Clients < Application
    exists = true 
    if params.has_key?(:inflated_object)
      params[:name] ||= params[:inflated_object].name
-      # We can only get here if we're admin or the validator. Only
-      # allow creating admin clients if we're already an admin.
-      if @auth_user.admin
-        params[:admin] ||= params[:inflated_object].admin
-      else
-        params[:admin] = false
-      end
+      params[:admin] ||= params[:inflated_object].admin
+    end
+
+    # We can only create clients if we're the admin or the validator.
+    # But only allow creating admin clients if we're already an admin.
+    if params[:admin] == true && @auth_user.admin != true
+      raise Forbidden, "You are not allowed to take this action."
    end

    begin