Uploaded image for project: 'Magnolia UI'
  1. Magnolia UI
  2. MGNLUI-2357

Check user permissions when saving ACLs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • 5.2
    • 5.2
    • None
    • None

    Description

      In securityApp, in the dialog for editing roles and access control lists a user can type paths into edit fields.

      When closing the dialog and saving the edited ACLs there must be a check that the logged in user does not assign "higher" user rights to a role that he himself has.

      Scenario:

      A "local" (multi-tenancy) admin restricted to administer roles contained in the folder "/departmentOne" creates a new role and assigns Read/Write access for all the available objects on the root ("/") node (like in the superuser role). In addition to that, under "Web Access" he grants "Get&Post" to "/*".

      Assignment to an editor:

      After assigning this role to an editor, the editor does not get superuser rights but can see all the websites and all the assets, not only the ones he should see.

      Assignment to himself:

      The local admin assigns the newly created role to himself and then is able to access all areas of the securityApp.

      So we need to implement a security check to prevent such "options" in a multi-tenancy environment. A solution might be to compile all access rights of the logged in user account and compare them to the ones that are going to be assigned to a security object.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                pmundt Philip Mundt
                lfischer Lars Fischer
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD

                    Time Tracking

                      Estimated:
                      Original Estimate - Not Specified
                      Not Specified
                      Remaining:
                      Remaining Estimate - Not Specified
                      Not Specified
                      Logged:
                      Time Spent - 1.35h
                      1.35h