[Bug]: Ensure user is not created as admin first before the update

[AndreasA]

Plugin Version

4.2.1

PHP Version

8.1

Shopware Version

6.4.18.1

Installation method

Composer

Identity provider

Google Cloud

What happened?

The shopware user provisioner creates a user as admin by default. Therefore, the user is first created as admin - as nothing else is specified.

It would probably be better to initially create the user as non admin there and only use updateUser to set admin to true, if specified accordingly.

Relevant log output

No response

[JoshuaBehrens]

I like the approach following least privilege first :) we check whether we will release it as an update or take care of it in our already started 6.5 refactoring process.

[AndreasA]

I have not checked the code but is this still an issue with 6.0 or has this actually been fixed?

[wimwenigerkind]

In the current setup shown in the screenshot where I used plugin version 7, the Shopware user provisioner creates a user without any roles by default. This means that every new user is initially assigned no roles because no other specification is provided.

As a result, users encounter missing permissions errors, such as “locale” and “language”, which indicate that they do not have the necessary permissions for certain actions.

To prevent these errors and ensure that users have the required permissions to perform their tasks, it is advisable to assign a default role that does not include admin rights. This default role should grant the necessary permissions, such as “locale” and “language”, so users can operate without encountering these errors.

[AndreasA]

@JoshuaBehrens Any news when this might be fixed? As currently one could use password forget if the update fails and the user has full admin permissions.

it should also be a simple fix, just add 'admin' => false to https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/blob/main/src/Service/UserResolver.php#L66

[JoshuaBehrens]

@AndreasA as @wimwenigerkind already mentioned: in the version 7 of the plugin this is fixed by having a different approach on managing roles at all. So this could be the way for you to work with it.

[AndreasA]

Hi @JoshuaBehrens the issue still exists in theory:

• If you don't find a user, one is created here https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/blob/7.0.0/src/Service/UserResolver.php#L66
  • This adds a user to the database with admin = true.
• In postUpdates the permissions are adjusted accordingly (rules etc.) https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/blob/7.0.0/src/Service/UserResolver.php#L71
• However, if for whatever reason the process fails before the update call, e.g. memory limit or whatever, the following would be possible:
  • User can request a password forgotten mail.
  • User logs in with the new password.
  • User has full admin permissions.

As mentioned it is a bit of an edge case but the fix is quite simple, just call

 $this->userProvisioner->provision($user->primaryEmail, $password, ['admin' => false, 'email' => $user->primaryEmail]);

instead of

 $this->userProvisioner->provision($user->primaryEmail, $password, ['email' => $user->primaryEmail]);

I can create a PR for this. Would also like to see that change in 6.x for extended support Shopware versions.

Maybe even active could be set to false and enabled in the update call, but that is not that important as a user without admin setting and without any other roles has no permissions to do anything whatsoever.