[
http://jira.magnolia.info/browse/MAGNOLIA-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gregory Joseph updated MAGNOLIA-1265:
-------------------------------------
Issue Type: Improvement (was: Bug)
Component/s: core
security
Fix Version/s: 3.6.1
(was: 3.6)
> User Dialog allows to add denied Roles
> --------------------------------------
>
> Key: MAGNOLIA-1265
> URL: http://jira.magnolia.info/browse/MAGNOLIA-1265
> Project: Magnolia
> Issue Type: Improvement
> Components: admininterface, core, security
> Affects Versions: 3.0.1
> Environment: Magnolia 3 RC4
> Reporter: Claudio Greuter
> Assignee: Philipp Bracher
> Fix For: 3.6.1
>
>
> I created a User whose role denies him access to certain roles like
> superuser, editor etc. The goal was to create a limited user manager that
> only can assign certain roles to new users.
> after setting the required role access to denied, the "Choose" button in the
> "new user" dialog correctly showed only the allowed roles.
> However it is still possible to add a new user with the role "superuser" by
> just typing "/superuser" in the field for the roles. I guess the same applies
> also for other areas like groups etc.
> This behaviour allows a limited user to bypass the Rights. In my opinioon it
> should be checked on Save if the user has read access to the Role or not.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/
----------------------------------------------------------------
