Broken Authentication (Unauthorized partial access to admin panel)

[rishaldwivedi]

In the application, the administrator can create user groups & also apply security policies (permission) to it, application to all member of its group.

One of the policies being user group permission to the "admin panel". Unfortunately, this doesn't work as expected. A normal user belonging to the Registered group (No access to admin panel), can still get inside the admin panel (but cant perform any action).

Steps to reproduce :

• [1] Navigate to admin panel & enter credentials (registered user), user would be logged in.
• [2] Once he clicks on any links, would be quickly logged out of the application & would not be able to log in again.

In order to reproduce again, log in from a valid user credential, having access to the admin panel & then logout.
Now repeat [1].

[4unkur]

I have tried to reproduce this issue and it seems like there is no such issue.
Please could you recheck it? Or am I missing something?

I have tried to login to admin panel using credentials of non admin user. - system did not allowed it.
Then tried to login to admin panel with admin user and logout.
Then tried to login with non admin user. - Rejected.

Awaiting for feedback

[rishaldwivedi]

Strange!!

I tried reproducing the issue from my other machine & failed to do so.
Here there was some other glitch; that is even for valid admin credentials, it says "Access denied" for the first time. The second time, it logs in successfully.

Anyhow still able to reproduce the original issue from my same machine & have recorded a video POC for the same. Not sure what's causing the problem.

Will try doing my research on it.

[4unkur]

Confirmed. In the video you've provided I have noticed that Guests usergroup has access to Admin panel.
With this settings, the bug you have reported takes the place.

Thank you for your report. We'll fix this issue in the upcoming releases.

[rishaldwivedi]

Nice eye!.