fix(pedm): fix permissions when querying individual logs as non-elevated user (#1351)

thenextman · web-flow · commit 2b992309bcb2 · 2025-05-20T22:38:50.000-04:00
diff --git a/crates/devolutions-pedm/src/api/log.rs b/crates/devolutions-pedm/src/api/log.rs
@@ -16,8 +16,8 @@ async fn get_jit_elevation_log_id(
 ) -> Result<Json<JitElevationLogRow>, Error> {
     let row = db.get_jit_elevation_log(id.id).await?.ok_or_else(|| Error::NotFound)?;
 
-    if !named_pipe_info.token.is_elevated()? {
-        if !row.user.as_ref().map_or(true, |u| u != &named_pipe_info.user) {
+    if row.user.as_ref().map_or(true, |u| u != &named_pipe_info.user) {
+        if !named_pipe_info.token.is_elevated()? {
             return Err(Error::AccessDenied);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,8 @@ async fn get_jit_elevation_log_id(`
`16`	`16`	`) -> Result<Json<JitElevationLogRow>, Error> {`
`17`	`17`	`let row = db.get_jit_elevation_log(id.id).await?.ok_or_else(\|\| Error::NotFound)?;`
`18`	`18`
`19`		`- if !named_pipe_info.token.is_elevated()? {`
`20`		`- if !row.user.as_ref().map_or(true, \|u\| u != &named_pipe_info.user) {`
	`19`	`+ if row.user.as_ref().map_or(true, \|u\| u != &named_pipe_info.user) {`
	`20`	`+ if !named_pipe_info.token.is_elevated()? {`
`21`	`21`	`return Err(Error::AccessDenied);`
`22`	`22`	`}`
`23`	`23`	`}`