[
http://jira.magnolia.info/browse/MAGNOLIA-2388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18106#action_18106
]
Jan Haderka commented on MAGNOLIA-2388:
---------------------------------------
Excellent. I think we have cleaned up all the confusion and are pretty much in
sync now. :D
{quote} Summing up, this are the improvement I would suggest:
* create a specific dialog for user preferences, without the group/role
selector{quote}
yes, but I would prefer not to change this for 3.6.2, but to do it on major
version (e.g. 3.7 - current trunk) instead. We also need to take care admin
user still has such a dialog available and it is unreachable for ordinary user
even if they know the url to access it directly. ... We also need to decide
what makes user privileged enough to access such dialog.
{quote}
* bugfix: if a wrong/unreadable role/group is manually inserted in the
field, don't break the user node, just don't assign such group/role{quote}
This indeed needs to be fixed before the release. We might also want to add a
warning into log files that user this and that tried to assign himself
something.
{quote}
* make acls on the own user node not writable by default (so just making it
secure by default and allowing to change it if needed).{quote}
again, yes, but preferably for major version rather then for bugfix release. We
will also need to decide how to handle update of existing users here - change
or keep???
I suggest we keep this issue open for the second point and split two others
into separate issues and target them for 3.7. WDYT?
> Easy privilege escalation from user preferences
> -----------------------------------------------
>
> Key: MAGNOLIA-2388
> URL: http://jira.magnolia.info/browse/MAGNOLIA-2388
> Project: Magnolia
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.2
> Reporter: Fabrizio Giustina
> Assignee: Fabrizio Giustina
> Priority: Blocker
> Fix For: 3.6.2
>
>
> This is a leftover from MAGNOLIA-574 : since the task was closed ignoring my
> comments and no other task is listed for 3.6.2 I am adding this as a separate
> issue since IMHO magnolia 3.6.2 can't be released as is now...
> After the change in MAGNOLIA-574 and related now every user (at least with a
> read only access to the user repository) can self-change its role to
> superuser using the preference dialog linked to the user name.
> Just create a user with a editor role and readonly access to userroles: he
> can just type "/superuser" in its preference dialog to gain full access.
> The are multiple issues/tasks associated to this:
> - user should not be have read/write permissions to the acls by default, this
> should be strictly forbidden unless explicitely added by a superuser
> - the preference box dialog should not list group/roles (it makes no sense,
> just name me another app where users have a similar thing in their preference
> page!)
> - a bug in the bug: if the user enters a role he doesn't have read rights for
> in the preference page the user node gets corrupted and can't be edited
> anymore
> as previously discussed, IMHO a better solution would be allowing only
> readonly access to own user node by default and using a custom save handler
> for the preference page which allow editing of checked properties using a
> system operation. User preferences should use obviously a different dialog
> from the standard user edit dialog.
> Nobody else cares about this?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/
----------------------------------------------------------------
