From 3db4cf5049df63b9d702fcb542a810a4b98a95bc Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Sun, 15 May 2016 17:43:54 +0200
Subject: [PATCH] Fix security vulnerability in account management API

---
 src/main/java/de/thm/arsnova/controller/UserController.java | 2 +-
 src/main/java/de/thm/arsnova/services/UserService.java      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/controller/UserController.java b/src/main/java/de/thm/arsnova/controller/UserController.java
index 9d3fe607..e1f1d0f8 100644
--- a/src/main/java/de/thm/arsnova/controller/UserController.java
+++ b/src/main/java/de/thm/arsnova/controller/UserController.java
@@ -95,7 +95,7 @@ public class UserController extends AbstractController {
 		response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 	}
 
-	@RequestMapping(value = { "/{username}" }, method = RequestMethod.DELETE)
+	@RequestMapping(value = { "/{username}/" }, method = RequestMethod.DELETE)
 	public final void activate(
 			@PathVariable final String username,
 			final HttpServletRequest request,
diff --git a/src/main/java/de/thm/arsnova/services/UserService.java b/src/main/java/de/thm/arsnova/services/UserService.java
index a6435db4..0999d33a 100644
--- a/src/main/java/de/thm/arsnova/services/UserService.java
+++ b/src/main/java/de/thm/arsnova/services/UserService.java
@@ -408,7 +408,7 @@ public class UserService implements IUserService {
 	public DbUser deleteDbUser(String username) {
 		User user = getCurrentUser();
 		if (!user.getUsername().equals(username)
-				&& SecurityContextHolder.getContext().getAuthentication().getAuthorities()
+				&& !SecurityContextHolder.getContext().getAuthentication().getAuthorities()
 						.contains(new SimpleGrantedAuthority("ROLE_ADMIN"))) {
 			throw new UnauthorizedException();
 		}
-- 
GitLab