Acl: New user accounts assigned to system generated role bypasses security checks #457
Labels
invalid
Issue's issue does not exists or is fixed in another issue which we are unaware of
P1
If not fixed, why even bother developing
Securitybug
And... you got hacked because of this
Milestone
Registered Users role is system generated at the time of install and the permissions array is empty in that role.
When we create a new user, we assign them a role and also push default permissions (all 0s). This should bypass security check.
######## Issue imported from Gitea ########
Details
Gitea Issue ID : 520
State : open
Created : 2024-04-15T17:28:21+10:00
Issue Description
Registered Users role is system generated at the time of install and the permissions array is empty in that role.
When we create a new user, we assign them a role and also push default permissions (all 0s). This should bypass security check.
Timeline
Label : Added P1 on 2024-04-15T17:28:21+10:00.
Label : Added Securitybug on 2024-04-15T17:28:21+10:00.
Commit Reference: !520 - Added proper checks.
Commit Reference: !520 - check in basecomponent
The text was updated successfully, but these errors were encountered: