[MAGNOLIA-1265] User Dialog allows to add denied Roles Created: 12/Dec/06  Updated: 23/Jan/13  Resolved: 15/Aug/08

Status: Closed
Project: Magnolia
Component/s: admininterface, core, security
Affects Version/s: 3.0.1
Fix Version/s: 3.6.2, 3.6.3

Type: Improvement Priority: Major
Reporter: Claudio Greuter Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Magnolia 3 RC4


Issue Links:
relation
is related to MAGNOLIA-2317 Reading user nodes without having cor... Closed
is related to MAGNOLIA-3040 Remove ACL references to itself for a... Closed
is related to MAGNOLIA-574 User preferences Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)

 Description   

I created a User whose role denies him access to certain roles like superuser, editor etc. The goal was to create a limited user manager that only can assign certain roles to new users.

after setting the required role access to denied, the "Choose" button in the "new user" dialog correctly showed only the allowed roles.
However it is still possible to add a new user with the role "superuser" by just typing "/superuser" in the field for the roles. I guess the same applies also for other areas like groups etc.

This behaviour allows a limited user to bypass the Rights. In my opinioon it should be checked on Save if the user has read access to the Role or not.


Generated at Mon Feb 12 03:25:15 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.