Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-13511

User with role xm.security.user-admin can obtain all roles

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • High
    • Resolution: Unresolved
    • None
    • None
    • None
    • Flagged
    • Orion
    • BrXM Backlog

    Description

      Feedback from a client

      A user with role xm.security.user-admin is able to see all possible roles, making him or her able to add roles to their own user for tasks they are not allowed to perform. They should only be able to hand out roles they have themselves.

      They are also able to change the password of users with more privileges, allowing them to misuse that account to do things they are not allowed to.

      Easily reproducible with a user having only userroles "xm.cms.user" and "xm.security.user-admin".

      This is the use case

      We want the client to be able to administer their own CMS users and groups, but we don't want them to be able to obtain other administration roles that can possibly be used to (accidentally) break functionalities. Only us (the developers) are allowed to view for example the console and repository.

      We have configured our own userroles with our own prefix, those rules are the only rules that the client should be allowed to add to users, but we're still in the process of setting it up. Essentially it comes down to three userroles per subsite: author, editor and webmaster, and one userrole to rule them all, which is webmaster for each subsite + xm.security.user-admin.

      Attachments

        Activity

          People

            Unassigned Unassigned
            jhoffman Jeroen Hoffman
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: