Details
-
Bug
-
Status: Open
-
High
-
Resolution: Unresolved
-
None
-
None
-
None
-
Flagged
-
Orion
-
BrXM Backlog
Description
Feedback from a client
A user with role xm.security.user-admin is able to see all possible roles, making him or her able to add roles to their own user for tasks they are not allowed to perform. They should only be able to hand out roles they have themselves.
They are also able to change the password of users with more privileges, allowing them to misuse that account to do things they are not allowed to.
Easily reproducible with a user having only userroles "xm.cms.user" and "xm.security.user-admin".
This is the use case
We want the client to be able to administer their own CMS users and groups, but we don't want them to be able to obtain other administration roles that can possibly be used to (accidentally) break functionalities. Only us (the developers) are allowed to view for example the console and repository.
We have configured our own userroles with our own prefix, those rules are the only rules that the client should be allowed to add to users, but we're still in the process of setting it up. Essentially it comes down to three userroles per subsite: author, editor and webmaster, and one userrole to rule them all, which is webmaster for each subsite + xm.security.user-admin.