mark-active and mark-inactive seem to affect the active user and not the selected one

RedHatProductSecurity / cvelib

A Python library and command line interface for CVE Services.

MIT License

52 stars 24 forks source link

mark-active and mark-inactive seem to affect the active user and not the selected one #86

Closed CERT-VDE closed 4 days ago

CERT-VDE commented 2 weeks ago

Hey there,

I tried to mark a user inactive (user -u username@domain.tld update --mark-inactive), got the response that the update went through but can't use the API afterwards. So one of my colleagues checked within their account and could confirm, that my account has been set inactive instead of the one that was planned to be set inactive. However my colleagues are not able to reactivate my account, all tags with --mark-(in)active seem to affect the active user only, not the one selected with -u username. Affected versions seem to be 1.2.x up to 1.4.0

Thank you, CERT@VDE /jochen

mprpic commented 1 week ago

Jochen, note that the order of the -u argument matters here. If you specify it before the update, it is used by the user subcommand where it serves as a modifier of which user you want to display information for (not specifying it defaults to your current user, for which you specified credentials).

The subcommands of the user command (create, update, reset-key) have their own -u command to specify which user to perform those actions on. So your command to mark someone as inactive should have been:

cve user update --mark-inactive -u username@example.org

Your command default the user to your user and marked you as inactive instead.

mprpic commented 1 week ago

Also worth noting that perhaps using interactive mode would have prevented this:

> cve -i user update -u test@redhat.com --mark-inactive
You are about to update the test@redhat.com user with the following changes:

- active: false

Do you want to continue? [y/N]: n
Exiting...

> cve -i user -u test@redhat.com update --mark-inactive
You are about to update the mprpic@redhat.com user with the following changes:

- active: false

Do you want to continue? [y/N]: n

If you have ideas of how to improve the user experience, do share :wink:

CERT-VDE commented 4 days ago

Thank you for clarification @mprpic !

My idea would be to force the -u after update when using --mark-inactive or --mark-active. That should prevent users that are not able to read the help carefully (like me 😉) to accidentally lockout themselves. Another option would be to use something like --target-user instead of -u after update... However, with your help a colleague was able to mark my account as active again, thank you.

/Jochen

mprpic commented 4 days ago

See linked MR where I made the -u option required so that it's more explicit about which user is being updated.