Bug #25104


Permissions for roles can be modified even if user does not have :edit_roles permission

Added by Ondřej Pražák over 5 years ago. Updated over 4 years ago.

Users, Roles and Permissions
Target version:
Fixed in Releases:
Found in Releases:


It is possible to add and remove permissions to a role even if current_user does not have :edit_role permission. The cause is that filters cannot exist without association to a role but their permissions do not take it into consideration. When filter is created, it is always associated to a role and that role has access to permissions through filter, so even if role record has not been modified, the role itself gained new permissions through associations.

We should turn filters into a proper nested resource that would fully depend on a role.

Steps to reproduce:

1) create a role with the following permissions: :view_roles, :view_filters, :create_filters, :update_filters, :destroy_filters
2) create a new user named Bob, assign him role created in step 1 and then log in as Bob
3) go to Administer -> Roles, then click on 'Filters' button for a role that is not locked, which will show you index of filters and edit buttons in the Action table column

Actions #1

Updated by Lukas Zapletal over 5 years ago

  • Category set to Users, Roles and Permissions
  • Triaged changed from No to Yes
Actions #2

Updated by Aditi Puntambekar over 5 years ago

  • Assignee set to Aditi Puntambekar
Actions #3

Updated by Aditi Puntambekar about 5 years ago

Is the expected result here that although we have edit filter permission for Bob, but since no edit role permission, then Edit Action shouldn't appear for Filter resource as well ? As in Edit action for any resource should appear only if edit_roles permission is applied ?

Actions #4

Updated by Ondřej Pražák about 5 years ago

It is expected that users will not be authorized to add new permissions to roles by creating/updating filters if they do not have :edit_roles permission. If users do not have :edit_roles permission, they should not be allowed to modify roles.

Actions #5

Updated by Aditi Puntambekar over 4 years ago

  • Assignee deleted (Aditi Puntambekar)

Also available in: Atom PDF