-
Story
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
-
Empty show more show less
Forum on M4.5 had sophisticated security-model which is currently not supported by Magnolia 5.
Bootstrap (originating from M4.5-version) installs these 4 roles.
1) forum-base
2) forum_ALL-user
3) forum_ALL-admin
4) forum_ALL-moderator
(2), (3) and (4) all come with an ACL-permission for the forum-workspace which M5-security-app cannot display correct (see screenshot) and is lost when someone is editing it.
Instead of the permission "moderateAndDelete" use "read & write"
Forum 3.3 should apply the following simple security model:
(a) role forum-base is required to access the forum-app
(b) to moderate (=> approve or reject a message) a user must have the role forum_ALL-moderator or forum_ALL-admin
(c) if a user has the above described permission to moderate a forum, he can moderate every forum
(a) is already done but probably arguable.
=>
- clean install: ensure Bootstraps contain roles which can be handled by M5; remove no more used bootstraps
- clean update: ensure config. of installed forum gets roles which can be handled by M5 on update
- clean code: ensure DefaultForumManager#isModerator works properly (based on roles)
- disable automatically creation of roles when a forum is created in the forum-config (change the config which in bootstrap or in already installed versions)
- is related to
-
MGNLCMNT-102 Security-related bootstraps contain only ACL-permissions which can be handled by M5
- Closed