Demindiro
commented
1 year ago Thanks! I completely missed that.
Closed underscore-zi closed 1 year ago
Demindiro
commented
1 year ago Thanks! I completely missed that.
Hey,
Looks like you fail to check for the admin role in a couple places:
admin_new_user()- https://github.com/Demindiro/agreper/blob/master/main.py#L533admin_set_role(user_id)- https://github.com/Demindiro/agreper/blob/master/main.py#L547As such both endpoints can be requested directly, without being logged in. Allowing for anyone to register an account regardless of whether public registration is enabled, and potentially give themselves admin privileges.
As I didn't setup a test environment for myself (would be nice if you had a Dockerfile). I didn't test the
admin_set_roleendpoint but I was able to register an account using the first endpoint (rather than the usual registration endpoint with a captcha) on your public instance. So I have little reason to think the second one wouldn't also work.