Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broken Authentication (Unauthorized partial access to admin panel) #762

Open
rishaldwivedi opened this Issue Jul 14, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@rishaldwivedi
Copy link

rishaldwivedi commented Jul 14, 2018

In the application, the administrator can create user groups & also apply security policies (permission) to it, application to all member of its group.

One of the policies being user group permission to the "admin panel". Unfortunately, this doesn't work as expected. A normal user belonging to the Registered group (No access to admin panel), can still get inside the admin panel (but cant perform any action).

Steps to reproduce :

  • [1] Navigate to admin panel & enter credentials (registered user), user would be logged in.
  • [2] Once he clicks on any links, would be quickly logged out of the application & would not be able to log in again.

In order to reproduce again, log in from a valid user credential, having access to the admin panel & then logout.
Now repeat [1].

@4unkur 4unkur self-assigned this Jul 16, 2018

@4unkur

This comment has been minimized.

Copy link
Member

4unkur commented Jul 16, 2018

I have tried to reproduce this issue and it seems like there is no such issue.
Please could you recheck it? Or am I missing something?

I have tried to login to admin panel using credentials of non admin user. - system did not allowed it.
Then tried to login to admin panel with admin user and logout.
Then tried to login with non admin user. - Rejected.

Awaiting for feedback

@rishaldwivedi

This comment has been minimized.

Copy link
Author

rishaldwivedi commented Jul 17, 2018

Strange!!

I tried reproducing the issue from my other machine & failed to do so.
Here there was some other glitch; that is even for valid admin credentials, it says "Access denied" for the first time. The second time, it logs in successfully.

Anyhow still able to reproduce the original issue from my same machine & have recorded a video POC for the same. Not sure what's causing the problem.

Will try doing my research on it.

@4unkur

This comment has been minimized.

Copy link
Member

4unkur commented Jul 18, 2018

Confirmed. In the video you've provided I have noticed that Guests usergroup has access to Admin panel.
With this settings, the bug you have reported takes the place.

Thank you for your report. We'll fix this issue in the upcoming releases.

@rishaldwivedi

This comment has been minimized.

Copy link
Author

rishaldwivedi commented Jul 18, 2018

Nice eye!.

@vbezruchkin vbezruchkin added this to the 4.2.2 milestone Feb 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.