Project

General

Profile

Actions

Bug #22899

open

RBAC model allows users to steal shared records from other users.

Added by roman plevka about 6 years ago. Updated about 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Organizations and Locations
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

have 2 orgs with 1 user each, where each user is an Org admin for his appropriate org and also belongs to it:
user1 => org1
user2 => org2

- now create some record, e.g. OS, belonging to both org1 and org2
- now login as e.g. user1 and edit the created OS in a way, that you unassign org2 from it.
- as a result, user2 can no longer access nor manipulate the OS.

- I think a solution to this would be to only display Orgs available to user1 (the ones, user1 is a member of). Also, the processing of such PUT requests should be modified, so the organization_ids parameter is not evaluated "absolutely", as it won't contain the 'unaccessible' orgs - backend needs to add the original 'unaccessible' orgs to the list

Actions #1

Updated by Marek Hulán about 6 years ago

  • Category changed from Users, Roles and Permissions to Organizations and Locations

I think this was resolved, Roman, mind to update the issue?

Actions

Also available in: Atom PDF