[
https://issues.apache.org/jira/browse/GUACAMOLE-1957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17856876#comment-17856876
]
Mike Jumper edited comment on GUACAMOLE-1957 at 6/21/24 10:35 PM:
------------------------------------------------------------------
I think it could also make sense for us to alter the way that the
{{ADMINISTER}}, {{UPDATE}}, etc. permissions are implicitly added to new
objects depending on how that permission was inherited in the first place.
Prior to user groups, when permissions could only ever come from a user
account, it made perfect sense for that permission to be tied to the user that
created the object. Now, with user groups well in place, it would be better if
that implicit {{ADMINISTER}} grant happens for all objects from which the user
creating the object inherits permission to create it (and _only_ those objects).
It would also be good for us to enhance the permission management interface
such that administrators can manage the more fine-grained {{UPDATE}},
{{ADMINISTER}}, etc. permissions, not just {{READ}}.
was (Author: mike.jumper):
I think it could also make sense for us to alter the way that the
{{ADMINISTER}} permission is implicitly added to new objects depending on how
that permission was inherited in the first place. Prior to user groups, when
permissions could only ever come from a user account, it made perfect sense for
that permission to be tied to the user that created the object. Now, with user
groups well in place, it would be better if that implicit {{ADMINISTER}} grant
happens for all objects from which the user creating the object inherits
permission to create it (and _only_ those objects).
It would also be good for us to enhance the permission management interface
such that administrators can manage the more fine-grained {{UPDATE}},
{{ADMINISTER}}, etc. permissions, not just {{READ}}.
> Permissions system behaving unexpectedly
> ----------------------------------------
>
> Key: GUACAMOLE-1957
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1957
> Project: Guacamole
> Issue Type: Bug
> Affects Versions: 1.5.5
> Environment: Guacamole and guacd installed using official docker
> images.
> Reporter: Adam
> Priority: Minor
>
> If an user have any administrative permissions assigned to him, either
> directly or inherited from a group, and created anything using this
> permissions (user, group, connection, etc.), he can make administrative
> actions on these items even after administrative permissions are detached
> from him directly or by removing from group from which these permissions were
> inherited.
> This effectively makes user a lifelong administrator of items he created,
> even after this user does not have these permissions anymore.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
