[
http://jira.magnolia.info/browse/MAGNOLIA-2388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18120#action_18120
]
Jan Haderka commented on MAGNOLIA-2388:
---------------------------------------
{quote}
Since this is intended for end users (editors, not magnolia administrators) I
am pretty scared also by the fact that users can easily lock themselves out
using a similar dialog. There is no security involved here, only people that
may click on that "remove" button near to the "roles" thing in the dialog (also
checking the disable checkbox, but that's to explicit also for a dummy user)...
it's just a
{quote}
True on the other hand if you get power user or local admin rights on windows
machine you can also inadversely lock yourself out. (not saying that Magnolia
should be stupid like that, just that this is a common possibility)
{quote}
sort of self-destroy button if consider a kind of user which neither know what
roles are in magnolia since they always only took care of editing contents. I
think it could be just a little more user friendly to not to give them such
power
{quote}
In my experience users fear what they don't know and would not touch it being
afraid what can happen.
{quote}
what about just creating a simpler dialog for 3.6.2 and leave the other stuff
(make the ordinary one unreachable for ordinary users) for 3.7? Should be a
simple thing and doesn't changes anything we had in 3.6.1.
{quote}
Right now, the exactly same dialog is used and handling is exactly same for
both superuser editing someones preferences and for users themselves. We can
change it, but I don't see how this can be done without actually changing the
way this works (which is why i don't want to do it for 3.6.x).
But we can always try. If you can solve it with minimal changes, do so on the
trunk and we can then backport it on 3.6 branch.
In case we don't solve it before 3.6.2 is going out (most likely next week), we
can always just disable the link to user preferences for 3.6.2 so the users
won't be tempted.
Perhaps the simplest change in the mean time would be to make this groups/roles
control read only, unless user has full rights to userroles/usergroups
workspaces (== superuser).
> Easy privilege escalation from user preferences
> -----------------------------------------------
>
> Key: MAGNOLIA-2388
> URL: http://jira.magnolia.info/browse/MAGNOLIA-2388
> Project: Magnolia
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.2
> Reporter: Fabrizio Giustina
> Assignee: Fabrizio Giustina
> Priority: Blocker
> Fix For: 3.6.2
>
>
> This is a leftover from MAGNOLIA-574 : since the task was closed ignoring my
> comments and no other task is listed for 3.6.2 I am adding this as a separate
> issue since IMHO magnolia 3.6.2 can't be released as is now...
> After the change in MAGNOLIA-574 and related now every user (at least with a
> read only access to the user repository) can self-change its role to
> superuser using the preference dialog linked to the user name.
> Just create a user with a editor role and readonly access to userroles: he
> can just type "/superuser" in its preference dialog to gain full access.
> The are multiple issues/tasks associated to this:
> - user should not be have read/write permissions to the acls by default, this
> should be strictly forbidden unless explicitely added by a superuser
> - the preference box dialog should not list group/roles (it makes no sense,
> just name me another app where users have a similar thing in their preference
> page!)
> - a bug in the bug: if the user enters a role he doesn't have read rights for
> in the preference page the user node gets corrupted and can't be edited
> anymore
> as previously discussed, IMHO a better solution would be allowing only
> readonly access to own user node by default and using a custom save handler
> for the preference page which allow editing of checked properties using a
> system operation. User preferences should use obviously a different dialog
> from the standard user edit dialog.
> Nobody else cares about this?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/
----------------------------------------------------------------
