Bug #25104
open
Permissions for roles can be modified even if user does not have :edit_roles permission
Description
It is possible to add and remove permissions to a role even if current_user does not have :edit_role permission. The cause is that filters cannot exist without association to a role but their permissions do not take it into consideration. When filter is created, it is always associated to a role and that role has access to permissions through filter, so even if role record has not been modified, the role itself gained new permissions through associations.
We should turn filters into a proper nested resource that would fully depend on a role.
Steps to reproduce:
1) create a role with the following permissions: :view_roles, :view_filters, :create_filters, :update_filters, :destroy_filters
2) create a new user named Bob, assign him role created in step 1 and then log in as Bob
3) go to Administer -> Roles, then click on 'Filters' button for a role that is not locked, which will show you index of filters and edit buttons in the Action table column
Updated by Lukas Zapletal over 5 years ago
- Category set to Users, Roles and Permissions
- Triaged changed from No to Yes
Updated by Aditi Puntambekar over 5 years ago
Is the expected result here that although we have edit filter permission for Bob, but since no edit role permission, then Edit Action shouldn't appear for Filter resource as well ? As in Edit action for any resource should appear only if edit_roles permission is applied ?
Updated by Ondřej Pražák over 5 years ago
It is expected that users will not be authorized to add new permissions to roles by creating/updating filters if they do not have :edit_roles permission. If users do not have :edit_roles permission, they should not be allowed to modify roles.
Updated by Aditi Puntambekar almost 5 years ago
- Assignee deleted (
Aditi Puntambekar)