From 9156450920447ca179d9bf0b7d2eb7537ce3303b Mon Sep 17 00:00:00 2001
From: index-git <sileny.index@gmail.com>
Date: Tue, 5 Dec 2023 09:01:04 +0100
Subject: [PATCH] Filter roles when querying role service

---
 src/layman/authz/role_service.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/layman/authz/role_service.py b/src/layman/authz/role_service.py
index f0db05e64..10bd6709d 100644
--- a/src/layman/authz/role_service.py
+++ b/src/layman/authz/role_service.py
@@ -1,6 +1,7 @@
 from db import util as db_util
 from layman import settings
 
+ROLE_NAME_PATTERN = r'^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)*$'
 ROLE_SERVICE_SCHEMA = settings.LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA
 
 
@@ -25,6 +26,12 @@ def ensure_admin_roles():
 
 
 def get_user_roles(username):
-    query = f"""select rolename from {ROLE_SERVICE_SCHEMA}.user_roles where username = %s"""
-    roles = db_util.run_query(query, (username, ))
+    query = f"""
+select rolename from {ROLE_SERVICE_SCHEMA}.user_roles
+where username = %s
+  and rolename not in (%s, %s, %s)
+  and LEFT(rolename, 5) != 'USER_'
+  and rolename ~ %s
+"""
+    roles = db_util.run_query(query, (username, 'ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE, ROLE_NAME_PATTERN))
     return {role[0] for role in roles}