Permission settings: limited permissions with access-permissions enabled #4825
Assignees
Labels
feat: roles / permissions
stat: triaged
Issue reviewed and properly tagged
subj: security
type: improvement
Comments
|
closed by #8942 |
tassoevan
added
stat: triaged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Your Rocket.Chat version: 0.44
Let's say you have a role semi-admin that has permissions to do almost everything but don't has permissions to assign admin role in order to prevent it from deleting original admin accounts. If a user of this role has permission to access the permission settings he can simply give himself the permission to assign admin role and can also create new roles that have permission to assign admin role.
My workaround at the moment is, that this role has no access to the permissions but in future I would prefer users of this role to be able to create and manage roles.
Possible solution:
if a custom role has access-permissions checked but some other permissions unchecked then it should not be able to assign itself those permissions or create new roles with those specific permissions.
The text was updated successfully, but these errors were encountered: