[Bug]: Lizmap admin rights management: security flaw? #5218
Comments
|
If you give the right to a user to modify rights of other users, then you consider this user as an administrator user. Having the right to modify rights, it is a "super power". So you give him the power to modify rights of other users (or groups) and to put them into groups that have this rights. If you don't trust this user, don't give him this super power.
There is no hierarchy in groups or rights. Groups are just a list of rights. |
|
Hm okay well - I wanted the user to manage other users (allow them to edit layer XY as it is in group policy XY) - i trust him on this. But knowing he is lacking any IT knowledge, i fear he might accidently give someone (or himself) lizmap-administrative rights, which i would see as potentially dangerous. |
What is the bug? (in English)
Recently i started to work more with the user rights management - i discovered one thing which troubles me a bit: If i give a user (or a usergroup) the right to change the rights of other users, this users can then promote other users (and themselfes) into the "admins" group and therefore escalate their rights. Can you somehow prevent that? As a user, i should not be able to grant rights which are higher than my currently owned rights i think..
Steps to reproduce the issue
Lizmap Admin Interface
Grant User the "Change User Rights" permission
-> The granted user can promote other users without any restrictions
Versions, safeguards, check summary etc
Versions :
List of Lizmap Web Client modules :
* altiProfil : 0.5.8 * altiProfilAdmin : 0.5.8
List of safeguards :
* Mode : normal
* Allow parent folder : no
* Prevent other drive : yes
* Prevent PG service : yes
* Prevent PG Auth DB : yes
* Force PG user&pass : yes
* Prevent ECW : yes
Check Lizmap plugin
Operating system
Ubuntu 22.04
Browsers
Firefox
Browsers version
Firefox 89
Relevant log output
No response
The text was updated successfully, but these errors were encountered: