[CMS-15126] User admin case: user can escalate permissions beyond a predetermined set - Issues

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Normal
Resolution: Unresolved
Affects Version/s: 14.7.8
Fix Version/s: None
Component/s: None
Labels:
- brxm-to-do
- kpi-xm-old-feature

Flagged:

Flagged
Processed by team:
Orion
Sprint:
Ready for refinement

Description

In a use case where a user group exists with permission to only create/edit user and assign them to groups, the addition of the userroles in 14 leads to a security issue.

Users of that "useradmin" group can assign userroles directly to themselves or to other users, thereby bypassing the predetermined set of permissions on group level.

See

Possible solution
Hide or disable the userrole dropdown in the user admin screen, by configuration.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

CMS-15126.png
174 kB
14/Jul/22 10:12 AM

Activity

People

Assignee:: Unassigned

Reporter:: Jeroen Hoffman

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Jul/22 10:11 AM

Updated:: 10/Nov/23 3:49 PM

Details

Description

Attachments

Attachments

Activity

People

Dates

related-pages-webpanel