code in https://github.com/anerg2046/go-admin-server/blob/master/app/http/repo/Role.go , the function Assign .
when giving someone privileges it will remove the user's all privileges first. In some Race Conditions , it will make user lose privileges
exploit:
requests the api in 50 threads ,
comm users has no privileges,and the slow sql log see delete all the user's casbin_rule
and you can not login the system .
code in https://github.com/anerg2046/go-admin-server/blob/master/app/http/repo/Role.go , the function Assign .
when giving someone privileges it will remove the user's all privileges first. In some Race Conditions , it will make user lose privileges
exploit:
requests the api in 50 threads ,
comm users has no privileges,and the slow sql log see delete all the user's casbin_rule
and you can not login the system .