Bug #24851: Do not allow users to escalate their own permissions - Foreman

Actions

Copy link

Bug #24851

open

Do not allow users to escalate their own permissions

Added by Ondřej Pražák over 6 years ago. Updated over 6 years ago.

Status:

New

Priority:

Low

Assignee:

Category:

Users, Roles and Permissions

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

It is possible for users to escalate their own permissions and gain access to additional actions/resources. So far, I have discovered the following scenarios where it occurs:

Scenario A
1) Have a non-admin user in OrgA and LocA with a Manager role
2) User can add more organizations to himself

Scenario B
1) Have a non-admin user with all permissions for Role and Filter
2) User can add a new filter to the role he already owns.

Scenario C
1) Have a non-admin user with all permissions to Usergroup
2) User can add himself to the usergroup

Related issues 1 (0 open — 1 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Custom queries

Bug #24851

Do not allow users to escalate their own permissions

Updated by Marek Hulán over 6 years ago

Updated by Marek Hulán over 6 years ago

Updated by Marek Hulán over 6 years ago

Updated by Ondřej Pražák over 6 years ago