Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-15126

User admin case: user can escalate permissions beyond a predetermined set

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • 14.7.8
    • None
    • None
    • Flagged
    • Orion
    • Ready for refinement

    Description

      In a use case where a user group exists with permission to only create/edit user and assign them to groups, the addition of the userroles in 14 leads to a security issue.

      Users of that "useradmin" group can assign userroles directly to themselves or to other users, thereby bypassing the predetermined set of permissions on group level.

      See

      Possible solution
      Hide or disable the userrole dropdown in the user admin screen, by configuration.

      Attachments

        Activity

          People

            Unassigned Unassigned
            jhoffman Jeroen Hoffman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: