Non-Secretariat admin users can use the /registry/org/:shortname/user/:username endpoint to call updateUser in registry-user.controller,js with a JSON document that has a top-level UUID property. This is blocked in createUser
|
// Do not allow the user to pass in a UUID |
|
if ((body?.UUID ?? null) || (body?.uuid ?? null)) { |
|
return res.status(400).json(error.uuidProvided('user')) |
but not blocked in updateUser. There are various impacts of changing a UUID that go beyond denying service to a user within one's own organization. For example, documents in the Cve-Id, Conversation, and Audit collections could then refer to a UUID that does not correspond to any user, interfering with use of those collections by the Secretariat. Also, the non-Secretariat admin user could potentially provide a conflicting UUID (the UUID of a different user in his own organization or of a user in a different organization).
Non-Secretariat admin users can use the /registry/org/:shortname/user/:username endpoint to call updateUser in registry-user.controller,js with a JSON document that has a top-level UUID property. This is blocked in createUser
cve-services/src/controller/registry-user.controller/registry-user.controller.js
Lines 154 to 156 in 15238d1
but not blocked in updateUser. There are various impacts of changing a UUID that go beyond denying service to a user within one's own organization. For example, documents in the Cve-Id, Conversation, and Audit collections could then refer to a UUID that does not correspond to any user, interfering with use of those collections by the Secretariat. Also, the non-Secretariat admin user could potentially provide a conflicting UUID (the UUID of a different user in his own organization or of a user in a different organization).