Redback

user administrator should not be able to assign system administrator role

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Critical Critical
  • Resolution: Unresolved
  • Affects Version/s: 1.2-beta-2
  • Fix Version/s: None
  • Component/s: authorization
  • Labels:
    None
  • Number of attachments :
    0

Description

An user with manageUsers role should not be able to assign the admin role to anybody.

The problem expands to any role, i think the solution should be implemented in UserManager

When getting the list of available groups for adding to an user it must not return groups that have roles that the current user does not have. This must be checked in the method that adds an user to a group too.

When adding roles to an user group, only the roles of the current user can be added, to avoid people adding roles to their groups.

(NOTE) I have moved this issue from continuum, its a good general issue to illustrate how constraints should be made to work with rbac. I have a similar hacked up solution to this in continuum dealing with project group administrators, but this is a but higher level.

Issue Links

is related to

Bug - A problem which impairs or prevents the functions of the product. REDBACK-163 calculate assignable roles based on children only

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jesse McConnell added a comment -

while this is indicated on the acegi-branch its something that should to checked that it is covered to a large enough degree by the plexus-security integration

Show
Jesse McConnell added a comment - while this is indicated on the acegi-branch its something that should to checked that it is covered to a large enough degree by the plexus-security integration
Hide
Permalink
Jesse McConnell added a comment -

this will be addressed with rbac constraints in the next release

Show
Jesse McConnell added a comment - this will be addressed with rbac constraints in the next release
Hide
Permalink
Brett Porter added a comment -

se REDBACK-163 - more generally, we need to calculate the assignable roles based on only roles that the user already has access to (and ensure that the user administrator gets access to all the application roles once sys admin is removed)

Show
Brett Porter added a comment - se REDBACK-163 - more generally, we need to calculate the assignable roles based on only roles that the user already has access to (and ensure that the user administrator gets access to all the application roles once sys admin is removed)

People

  • Assignee:
    Unassigned
    Reporter:
    Carlos Sanchez
Vote (1)
Watch (0)

Dates

  • Created:
    Updated: