Check for matching creator & user during connect (#4876)

Signed-off-by: Thomas Quandt <[email protected]>
cloudfoundry · Feb 22, 2021 · 6f3567b · 6f3567b
1 parent e5138f0
commit 6f3567b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/jetstream/authcnsi.go b/src/jetstream/authcnsi.go
@@ -160,6 +160,10 @@ func (p *portalProxy) DoLoginToCNSI(c echo.Context, cnsiGUID string, systemShare
 		if user.Admin {
 			return nil, echo.NewHTTPError(http.StatusUnauthorized, "Can not connect - admins are not allowed to connect to user created endpoints")
 		}
+
+		if cnsiRecord.Creator != userID {
+			return nil, echo.NewHTTPError(http.StatusUnauthorized, "Can not connect - non-admins are not allowed to connect to endpoints created by other non-admins")
+		}
 	}
 
 	// Register as a system endpoint?