Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QA] unprivileged users can promote themselves to admin #879

Closed
jnweiger opened this issue Nov 17, 2020 · 7 comments · Fixed by #894
Closed

[QA] unprivileged users can promote themselves to admin #879

jnweiger opened this issue Nov 17, 2020 · 7 comments · Fixed by #894
Labels
OCIS-Fastlane Planned outside of the sprint Type:Bug

Comments

@jnweiger
Copy link
Contributor

jnweiger commented Nov 17, 2020
edited
Loading

Setup via docker-compose-eos-test.yml at branch fix-yml-for-rc5 on localhost

  • eos space set default on for [QA] eos fst are offline by default - upload fails #862
  • Login user marie
  • Click the 9 dots menu, select accounts.
  • Note that marie is Role User.
  • Try '+Create new account' -> it fails. Good.
  • Switch Role from User to Admin.
    image
  • Try '+Create new account' again.

image

Oops.

Expected behavior: normal user cannot.
@exalate-issue-sync exalate-issue-sync bot added bug OCIS-Fastlane Planned outside of the sprint labels Nov 18, 2020
@kulmann
Copy link
Contributor

kulmann commented Nov 18, 2020

We recently introduced a SelfManagement permission to the Userrole. As a result the accounts UI shows the logged in user. This made it possible here, to uncover that we in fact don't have any permission checks for assigning/unassigning roles. Needs to be implemented ASAP. Might make sense to move the role assignments to the account service in the same PR.

@exalate-issue-sync
Copy link

David Christofas commented: I just looked into this and it seems like the permission checks in the settings service are missing in general.
For me it wasn't clear how to implement them so I unassigned myself until I can pair on this with someone who knows.

@exalate-issue-sync
Copy link

David Christofas commented: I found a way.

@C0rby
Copy link
Contributor

C0rby commented Nov 18, 2020

@kulmann, what is the reason for moving the role assignments to the accounts service?
I understand that right now the accounts UI is depending on the settings service but when we move the assignments to the accounts service then the accounts backend will still depend on the settings service.

@kulmann
Copy link
Contributor

kulmann commented Nov 18, 2020

@C0rby

  1. it would save us a request in the account_resolve middleware in the proxy, because we could return the role assignments directly from the account service instead of having to make a second request to the settings services.
  2. when creating users we assign a role. that could happen in the same service then, so it reduces latency.

@C0rby
Copy link
Contributor

C0rby commented Nov 18, 2020

Ah you mean we would even move the store to the accounts service?

@C0rby C0rby mentioned this issue Nov 18, 2020
Merged
@jnweiger
Copy link
Contributor Author

jnweiger commented Dec 1, 2020

Confirmed fixed in rc6

einstein can still change his role to admin in the web UI, but it has no effect. On a reload his role is shown as 'user' again. OK.

@jnweiger jnweiger mentioned this issue Dec 1, 2020
Closed
@micbar micbar mentioned this issue Dec 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OCIS-Fastlane Planned outside of the sprint Type:Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add permission check to role management owncloud/ocis
3 participants
@jnweiger @kulmann @C0rby