[MAGNOLIA-3006] privileges escalation by logged user Created: 14/Jan/10  Updated: 02/Apr/13  Resolved: 15/Mar/10

Status: Closed
Project: Magnolia
Component/s: admininterface, security
Affects Version/s: 4.2.3
Fix Version/s: 4.3, 4.2.4, 4.1.6

Type: Bug Priority: Blocker
Reporter: Jan Haderka Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-2317 Reading user nodes without having cor... Closed
is related to MAGNOLIA-2318 Default user privileges are not enoug... Closed
is related to MAGNOLIA-2320 Remove hardcoded user permission modi... Closed
is related to MGNLSTK-621 Demo users have too many privileges a... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Under certain conditions it is possible for knowledgeable user to escalate his/her own privileges to more then originally assigned. The "user" in question must be valid user with access to admin central. The issue doesn't affect anonymous user.



 Comments   
Comment by Philipp Bärfuss [ 12/Mar/10 ]

The ACLs were added because the user must be able to change its own password.

I would go for a) as this is the only save solution. But then we have to ensure that the user can change his properties in the dialog (but not the group and role assignments)

Comment by Magnolia International [ 12/Mar/10 ]

Maybe this is related: MAGNOLIA-158 should users be able to delete themselves ?

Generated at Mon Feb 12 03:42:16 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.