Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mark-active and mark-inactive seem to affect the active user and not the selected one #86

Closed
CERT-VDE opened this issue Jul 1, 2024 · 4 comments · Fixed by #90
Closed

mark-active and mark-inactive seem to affect the active user and not the selected one #86

CERT-VDE opened this issue Jul 1, 2024 · 4 comments · Fixed by #90

Comments

@CERT-VDE
Copy link

CERT-VDE commented Jul 1, 2024

Hey there,

I tried to mark a user inactive (user -u [email protected] update --mark-inactive), got the response that the update went through but can't use the API afterwards. So one of my colleagues checked within their account and could confirm, that my account has been set inactive instead of the one that was planned to be set inactive.
However my colleagues are not able to reactivate my account, all tags with --mark-(in)active seem to affect the active user only, not the one selected with -u username.
Affected versions seem to be 1.2.x up to 1.4.0

Thank you,
CERT@VDE
/jochen
@mprpic
Copy link
Contributor

mprpic commented Jul 8, 2024
edited
Loading

Jochen, note that the order of the -u argument matters here. If you specify it before the update, it is used by the user subcommand where it serves as a modifier of which user you want to display information for (not specifying it defaults to your current user, for which you specified credentials).

The subcommands of the user command (create, update, reset-key) have their own -u command to specify which user to perform those actions on. So your command to mark someone as inactive should have been:

cve user update --mark-inactive -u [email protected]

Your command default the user to your user and marked you as inactive instead.

@mprpic
Copy link
Contributor

mprpic commented Jul 8, 2024

Also worth noting that perhaps using interactive mode would have prevented this:

> cve -i user update -u [email protected] --mark-inactive
You are about to update the [email protected] user with the following changes:

- active: false

Do you want to continue? [y/N]: n
Exiting...

> cve -i user -u [email protected] update --mark-inactive
You are about to update the [email protected] user with the following changes:

- active: false

Do you want to continue? [y/N]: n

If you have ideas of how to improve the user experience, do share 😉

@CERT-VDE
Copy link
Author

CERT-VDE commented Jul 16, 2024
edited
Loading

Thank you for clarification @mprpic !

My idea would be to force the -u after update when using --mark-inactive or --mark-active. That should prevent users that are not able to read the help carefully (like me 😉) to accidentally lockout themselves.
Another option would be to use something like --target-user instead of -u after update...
However, with your help a colleague was able to mark my account as active again, thank you.

/Jochen

mprpic added a commit that referenced this issue Jul 16, 2024
@mprpic
Make -u/--username required for user update/reset-token
0ace5bb 
Making it optional and defaulting to the current user could have
inadvertently updated your own user if you forgot to specify the target
user. Requiring a value makes the update or reset token action
more explicit.

Resolves #86
@mprpic mprpic mentioned this issue Jul 16, 2024
Merged
@mprpic
Copy link
Contributor

mprpic commented Jul 16, 2024

See linked MR where I made the -u option required so that it's more explicit about which user is being updated.

mprpic added a commit that referenced this issue Jul 16, 2024
@mprpic
Make -u/--username required for user update/reset-token
beed020 
Making it optional and defaulting to the current user could have
inadvertently updated your own user if you forgot to specify the target
user. Requiring a value makes the update or reset token action
more explicit.

Resolves #86
@mprpic mprpic closed this as completed in 982f92b Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make -u/--username required for user update/reset-token RedHatProductSecurity/cvelib
2 participants
@mprpic @CERT-VDE