Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-4663

A user named * can create/edit/delete all other users

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.4.0, 7.4.0-alpha3
    • Component/s: engine
    • Labels:

      Description

      A user named * is able to create/edit/delete other users, although no authorizations are granted explicitly.

      Reason:

      • * is a reserved keyword in the authorization checks
      • when a user is created, a default authorization is created to allow the user to edit/delete its own profile. This means, the resource id for that authorization entry is set to the user id
      • since * is a reserved character that grants authorization for all resources of a type, a user named * immediately receives this right

      Additional cases:

      • It should not be possible to create a group with id *
      • It should not be possible to set * as the currently authenticated user (since all authorizations created during this time are going to be granted to all users)
      • It should not be possible to assign a task to * (since then all users are granted READ and UPDATE for that task)
      • it should not be possible to set a task owner to *
      • it should not be possible to create a task identity link for a user *
      • it should not be possible to create a task filter with owner *

      Solution Idea:

      • Forbid creation of a user/a group named * (not sure how that might work when users are served from LDAP or some other external source)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              smirnov Roman Smirnov
              Reporter:
              thorben.lindhauer Thorben Lindhauer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: