-
Type:
Bug Report
-
Resolution: Fixed
-
Priority:
L3 - Default
-
Affects Version/s: None
-
Component/s: engine
A user named * is able to create/edit/delete other users, although no authorizations are granted explicitly.
Reason:
- * is a reserved keyword in the authorization checks
- when a user is created, a default authorization is created to allow the user to edit/delete its own profile. This means, the resource id for that authorization entry is set to the user id
- since * is a reserved character that grants authorization for all resources of a type, a user named * immediately receives this right
Additional cases:
- It should not be possible to create a group with id *
- It should not be possible to set * as the currently authenticated user (since all authorizations created during this time are going to be granted to all users)
- It should not be possible to assign a task to * (since then all users are granted READ and UPDATE for that task)
- it should not be possible to set a task owner to *
- it should not be possible to create a task identity link for a user *
- it should not be possible to create a task filter with owner *
Solution Idea:
- Forbid creation of a user/a group named * (not sure how that might work when users are served from LDAP or some other external source)
This is the controller panel for Smart Panels app
- depends on
-
-
- Open
-
- links to
