Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guest user is assigned user role upon email verification #13823

Closed
dkatheininger opened this issue Mar 21, 2019 · 3 comments · Fixed by #14263
Closed

Guest user is assigned user role upon email verification #13823

dkatheininger opened this issue Mar 21, 2019 · 3 comments · Fixed by #14263

Comments

@dkatheininger
Copy link

Description:

When a user that only has the role "Guest" assigned changes its email address and verifies his new address by clicking the link the role "User" is automatically assigned to him. I believe this is a major security issue as guest users can upgrade their privileges by themself.

In case there is a setting in the adminstration area that determines this behaviour I wasn't able to find it.

Steps to reproduce:

  1. Login as a user having only the role "guest"
  2. Go to the user profile and change the email address
  3. In the verification email click the verification link
  4. The user now has the role "user" assigned

Server Setup Information:

  • Version of Rocket.Chat Server: 0.74.3
  • Operating System: Linux
  • Deployment Method: Docker
@knrt10
Copy link
Contributor

knrt10 commented Mar 21, 2019
edited
Loading

cc @sampaiodiego @ggazzo this is a problem I suppose.

@dkatheininger
Copy link
Author

The same issue also occurs when an admin user changes the email adress of a user having the guest role only. Once the user clicks the "Verify your Email" link the role 'User' is assigned.

@knrt10
Copy link
Contributor

knrt10 commented Apr 1, 2019

Will look into it.

@MarcosSpessatto MarcosSpessatto mentioned this issue Apr 26, 2019
Merged
@magicbelette magicbelette mentioned this issue May 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@dkatheininger @knrt10