Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-1265

User Dialog allows to add denied Roles

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 3.6.2, 3.6.3
    • 3.0.1
    • admininterface, core, security
    • None
    • Magnolia 3 RC4

    Description

      I created a User whose role denies him access to certain roles like superuser, editor etc. The goal was to create a limited user manager that only can assign certain roles to new users.

      after setting the required role access to denied, the "Choose" button in the "new user" dialog correctly showed only the allowed roles.
      However it is still possible to add a new user with the role "superuser" by just typing "/superuser" in the field for the roles. I guess the same applies also for other areas like groups etc.

      This behaviour allows a limited user to bypass the Rights. In my opinioon it should be checked on Save if the user has read access to the Role or not.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                had Jan Haderka
                cgr Claudio Greuter
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD