[MAGNOLIA-2399] Make acl nodes read only for user Created: 29/Sep/08 Updated: 19/Dec/16 Resolved: 04/Nov/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | admininterface, security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major |
| Reporter: | Jan Haderka | Assignee: | Philipp Bärfuss |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Description |
|
While this is not exposed via UI anywhere, it would be definitively safer to have user rights to their own ACLs limited. |
| Comments |
| Comment by Magnolia International [ 16/Feb/09 ] |
Well, isn't it exposed via the user edit/preferences dialog ? |
| Comment by Jan Haderka [ 24/Feb/09 ] |
Not this particular aspect. User can't abuse this via user preferences dialog as (s)he can only select the roles/groups (s)he can already see. But if user was somehow to gain direct access to the workspace, and knew or guessed other existing roles or groups it would be possible for such user to gain extra access right by adding fake entries for such role/group. This is however not possible at the moment without creating and registering special tree exposing users workspace and supporting arbitrary node creation. To set it up you would have to have admin privileges already hence you would have no need to set such thing in a first place. Still it would be safer if ACLs were not stored under the users directly and any kind of write access from the users themselves to ACLs could be restricted. |
| Comment by Michael Mühlebach [ 04/Nov/15 ] |
|
Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes. |