-
Bug
-
Resolution: Fixed
-
Blocker
-
3.6.2
-
None
This is a leftover from MAGNOLIA-574 : since the task was closed ignoring my comments and no other task is listed for 3.6.2 I am adding this as a separate issue since IMHO magnolia 3.6.2 can't be released as is now...
After the change in MAGNOLIA-574 and related now every user (at least with a read only access to the user repository) can self-change its role to superuser using the preference dialog linked to the user name.
Just create a user with a editor role and readonly access to userroles: he can just type "/superuser" in its preference dialog to gain full access.
The are multiple issues/tasks associated to this:
- user should not be have read/write permissions to the acls by default, this should be strictly forbidden unless explicitely added by a superuser
- the preference box dialog should not list group/roles (it makes no sense, just name me another app where users have a similar thing in their preference page!)
- a bug in the bug: if the user enters a role he doesn't have read rights for in the preference page the user node gets corrupted and can't be edited anymore
as previously discussed, IMHO a better solution would be allowing only readonly access to own user node by default and using a custom save handler for the preference page which allow editing of checked properties using a system operation. User preferences should use obviously a different dialog from the standard user edit dialog.
Nobody else cares about this?
- is cloned by
-
MAGNOLIA-2399 Make acl nodes read only for user
- Closed
- is related to
-
MAGNOLIA-574 User preferences
- Closed
-
MAGNOLIA-2400 Split Roles/Groups assignment from UserPreferences dialog
- Closed