diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index 7880a5be53..86d286b61c 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -82,15 +82,20 @@ void AuthRequest::add_auth(Object ob, gid == GroupPool::ONEADMIN_ID || // User is the owner of the object, for certain operations - ( owner == uid && - ( op == DELETE || op == USE || op == MANAGE || - op == INFO || op == INSTANTIATE ) + ( owner == uid && + ( op == DELETE || op == USE || op == MANAGE || + op == INFO || op == INSTANTIATE ) ) || // Object is public and user is in its group, for certain operations - ( pub && ( gid == ob_gid ) && - (op == USE || op == INSTANTIATE || op == INFO ) && - (ob == NET || ob == IMAGE || ob == TEMPLATE) + ( pub && ( gid == ob_gid ) && + ( op == USE || op == INSTANTIATE || op == INFO ) && + ( ob == NET || ob == IMAGE || ob == TEMPLATE) + ) || + + // User can show and MANAGE (change passwd) their own information + ( uid == ob_id_int && ob == USER && + ( op == INFO || op == MANAGE ) ) ) { diff --git a/src/rm/RequestManagerInfo.cc b/src/rm/RequestManagerInfo.cc index a0c73da2cd..9a1e4a79a7 100644 --- a/src/rm/RequestManagerInfo.cc +++ b/src/rm/RequestManagerInfo.cc @@ -28,11 +28,6 @@ void RequestManagerInfo::request_execute(xmlrpc_c::paramList const& paramList, PoolObjectSQL * object; string str; - if ( basic_authorization(oid, att) == false ) - { - return; - } - if ( oid == -1 ) { if ( auth_object == AuthRequest::USER ) @@ -45,6 +40,11 @@ void RequestManagerInfo::request_execute(xmlrpc_c::paramList const& paramList, } } + if ( basic_authorization(oid, att) == false ) + { + return; + } + object = pool->get(oid,true); if ( object == 0 )