Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-4663

A user named * can create/edit/delete all other users

    XMLWordPrintable

Details

    • Bug Report
    • Status: Closed
    • L3 - Default
    • Resolution: Fixed
    • None
    • 7.4.0, 7.4.0-alpha3
    • engine

    Description

      A user named * is able to create/edit/delete other users, although no authorizations are granted explicitly.

      Reason:

      • * is a reserved keyword in the authorization checks
      • when a user is created, a default authorization is created to allow the user to edit/delete its own profile. This means, the resource id for that authorization entry is set to the user id
      • since * is a reserved character that grants authorization for all resources of a type, a user named * immediately receives this right

      Additional cases:

      • It should not be possible to create a group with id *
      • It should not be possible to set * as the currently authenticated user (since all authorizations created during this time are going to be granted to all users)
      • It should not be possible to assign a task to * (since then all users are granted READ and UPDATE for that task)
      • it should not be possible to set a task owner to *
      • it should not be possible to create a task identity link for a user *
      • it should not be possible to create a task filter with owner *

      Solution Idea:

      • Forbid creation of a user/a group named * (not sure how that might work when users are served from LDAP or some other external source)

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Issue Links

            Activity

              People

                smirnov Roman Smirnov
                thorben.lindhauer Thorben Lindhauer
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Salesforce