Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Acl: New user accounts assigned to system generated role bypasses security checks #457

Closed
oyeaussie opened this issue Jul 6, 2024 · 1 comment
Assignees
Labels
invalid Issue's issue does not exists or is fixed in another issue which we are unaware of P1 If not fixed, why even bother developing Securitybug And... you got hacked because of this
Milestone

Comments

@oyeaussie
Copy link
Contributor

oyeaussie commented Jul 6, 2024

Registered Users role is system generated at the time of install and the permissions array is empty in that role.

When we create a new user, we assign them a role and also push default permissions (all 0s). This should bypass security check.

######## Issue imported from Gitea ########

Details

Gitea Issue ID : 520
State : open
Created : 2024-04-15T17:28:21+10:00

Issue Description

Registered Users role is system generated at the time of install and the permissions array is empty in that role.

When we create a new user, we assign them a role and also push default permissions (all 0s). This should bypass security check.

Timeline

Label : Added P1 on 2024-04-15T17:28:21+10:00.
Label : Added Securitybug on 2024-04-15T17:28:21+10:00.
Commit Reference: !520 - Added proper checks.
Commit Reference: !520 - check in basecomponent

@oyeaussie oyeaussie added P1 If not fixed, why even bother developing Securitybug And... you got hacked because of this labels Jul 6, 2024
@oyeaussie oyeaussie self-assigned this Jul 6, 2024
@oyeaussie oyeaussie added this to the 0.0.0-rc.6 milestone Jul 7, 2024
@oyeaussie oyeaussie added the invalid Issue's issue does not exists or is fixed in another issue which we are unaware of label Jul 9, 2024
@oyeaussie
Copy link
Contributor Author

Can't reproduce.

@oyeaussie oyeaussie closed this as not planned Won't fix, can't repro, duplicate, stale Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
invalid Issue's issue does not exists or is fixed in another issue which we are unaware of P1 If not fixed, why even bother developing Securitybug And... you got hacked because of this
Projects
None yet
Development

No branches or pull requests

1 participant