NAS-125067 / 24.04 / Always allow authenticated users to set webui pr…

…efs (#12453) The attributes dictionary contains webui preferences as determined by the UI team. Users should be able to write to their own settings regardless of privileges granted to them.
truenas · Nov 6, 2023 · b49f704 · b49f704
1 parent 0e98457
commit b49f704
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/src/middlewared/middlewared/plugins/auth.py b/src/middlewared/middlewared/plugins/auth.py
@@ -539,6 +539,7 @@ async def me(self, app):
 
         return {**user, 'attributes': attributes}
 
+    @no_authz_required
     @accepts(
         Str('key'),
         Any('value'),

diff --git a/tests/api2/test_account_privilege_role.py b/tests/api2/test_account_privilege_role.py
@@ -98,3 +98,11 @@ def test_readonly_can_not_call_method():
             c.call("filesystem.mkdir", "/foo")
 
         assert ve.value.errno == errno.EACCES
+
+
+def test_limited_user_can_set_own_attributes():
+    with unprivileged_user_client(["READONLY"]) as c:
+        c.call("auth.set_attribute", "foo", "bar")
+        attrs = c.call("auth.me")["attributes"]
+        assert "foo" in attrs
+        assert attrs["foo"] == "bar"