-
Bug
-
Resolution: Fixed
-
Major
-
3.6.1
-
None
Every user get by permission to access their own node children by default. Permission is assigned via ACL directly under the user account. However this permission given user right to modify children of their own node only. To modify their own account users need to have also permission to read their own account node.
In short
user - acl_users - 0 - path= /admin/userName/* - permission = 63
needs to be changed to
user - acl_users - 0 - path= /admin/userName/* - permission = 63 - 1 - path= /admin/userName - permission = 8
We should perhaps also introduce update task to add this second permission to all existing users.
- is depended upon by
-
MAGNOLIA-158 adminCentral: User: I can delete myself
- Closed
- is related to
-
MAGNOLIA-3006 privileges escalation by logged user
- Closed
-
MAGNOLIA-2317 Reading user nodes without having correct privileges assigned
- Closed