[MAGNOLIA-2318] Default user privileges are not enough for user to change their own preferences Created: 12/Aug/08  Updated: 23/Jan/13  Resolved: 13/Aug/08

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 3.6.1
Fix Version/s: 3.6.2, 3.6.3

Type: Bug Priority: Major
Reporter: Jan Haderka Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
dependency
is depended upon by MAGNOLIA-158 adminCentral: User: I can delete myself Closed
relation
is related to MAGNOLIA-3006 privileges escalation by logged user Closed
is related to MAGNOLIA-2317 Reading user nodes without having cor... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Every user get by permission to access their own node children by default. Permission is assigned via ACL directly under the user account. However this permission given user right to modify children of their own node only. To modify their own account users need to have also permission to read their own account node.
In short

user
 - acl_users
      - 0 
         - path= /admin/userName/*
         - permission = 63

needs to be changed to

user
 - acl_users
      - 0 
         - path= /admin/userName/*
         - permission = 63
      - 1 
         - path= /admin/userName
         - permission = 8

We should perhaps also introduce update task to add this second permission to all existing users.



 Comments   
Comment by Jan Haderka [ 13/Aug/08 ]

r17321, r17317, r17313

Generated at Mon Feb 12 03:35:33 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.