Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom roles overwritten after upgrading to OC 2.1.x #17216

Closed
intellimedhu opened this issue Dec 11, 2024 · 6 comments · Fixed by #17224
Closed

Custom roles overwritten after upgrading to OC 2.1.x #17216

intellimedhu opened this issue Dec 11, 2024 · 6 comments · Fixed by #17224
Labels
bug 🐛 P0 security

Comments

@intellimedhu
Copy link

I am using custom roles where RoleClaims is empty (director, sales manager):
image

After upgrading to Orchard Core 2.1.x (from 2.0.2), I noticed that all users are assigned the Administrator role.

I suspect the issue is related to the following line of code:

OrchardCore/src/OrchardCore.Modules/OrchardCore.Roles/Migrations/RolesMigrations.cs

Line 46 in 4ab7c34

r.RoleClaims.Count == 0 ||

@MikeAlhayek
Copy link
Member

MikeAlhayek commented Dec 11, 2024
edited
Loading

Did any of the roles director sales manager has the OwnerPermission granted to it? https://docs.orchardcore.net/en/latest/releases/2.1.0/#site-owner-permission-deprecated-administrator-role-retained-as-a-system-role

Also it would be great if you can provide reproduction steps. Do you import a recipe?

@intellimedhu
Copy link
Author

Roles are not assigned any permissions, including OwnerPermission.

Steps to reproduce:

  1. Using OC 2.0.2 create roles in the admin: Director, Sales Manager
  2. Do not assign any permissions to these roles.
  3. Still in the admin dashboard, create some users and assign them only the Director or Sales Manager role (no other roles are given).
  4. Upgrade to OC 2.1.0 (or higher), build, and run the application.
  5. The Administrator role is now assigned to the users created in step 3.

@gvkries
Copy link
Contributor

gvkries commented Dec 12, 2024
edited
Loading

This is a security critical bug, it adds users to the admin role during migration unintentionally!

Note that it looks like PR #17089 also added the same buggy behavior here too, because the SiteOwner claim is also required by the RolesMigrations and is now never assigned - I told you, rushing the removal of that claim is a mistake ;-)

MikeAlhayek added a commit that referenced this issue Dec 12, 2024
@MikeAlhayek
Roles with no permission are auto migrated to Administrator roles
6d3d836 
Fix #17216
@MikeAlhayek MikeAlhayek mentioned this issue Dec 12, 2024
Merged
@MikeAlhayek
Copy link
Member

This is a security critical bug, it adds users to the admin role during migration unintentionally

It is a bad security bug that will needs to be patched today.

Note that it looks like PR #17089 also added the same buggy behavior here too, because the SiteOwner claim is also required by the RolesMigrations and is now never assigned - I told you, rushing the removal of that claim is a mistake ;-)

It actually has nothing to do with that PR. It's a bug introduced by the original PR https://github.com/OrchardCMS/OrchardCore/pull/16781/files#diff-b72d3d57af6cb699ce3d2df36090731745456797fac627681ae3714a08c85cb9R44-R47

@gvkries
Copy link
Contributor

gvkries commented Dec 12, 2024

It actually has nothing to do with that PR. It's a bug introduced by the original PR https://github.com/OrchardCMS/OrchardCore/pull/16781/files#diff-b72d3d57af6cb699ce3d2df36090731745456797fac627681ae3714a08c85cb9R44-R47

You're right, I got confused by reading SiteOwner claim type, but it's the value... Sorry :-)

@intellimedhu
Copy link
Author

Thank you!

This was referenced Jan 1, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 P0 security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Roles with no permission are auto migrated to Administrator roles OrchardCMS/OrchardCore
3 participants
@gvkries @MikeAlhayek @intellimedhu