Any user with permission to create/edit users can effectively assign himself or any other user any permissions #10443
Labels
area-security
proposal
Proposal about improvement aka RFC. Need to be discussed before start implementation.
Comments
|
splittingred submitted: I think the best solution is to add a few more permissions, as it seems 'access_permissions' is bearing too much of the weight. We'll address this in 2.0.3. |
|
Closing in favor of #11208 which has some more discussion. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
juro created Redmine issue ID 10443
Situation: admin needs to create special user/role/policy (e.g. Manager) that is able to create/edit other users (e.g. department manager can manage users from his dept.) To be effective, manager must have at least these permissions: access_permissions (at least User management action must be visible in top menu) new_user, view_user, edit_user, delete_user, save_user, view_role Sadly this also means that Manager can: delete or disable admin add himself or any user any role (Superuser) and assign to any User group (Administrator) it also means he can create snippets and plugins, thus effectively run any PHP code on server, access database directly etc. The resolution would be that anybody can assign (view) roles up to his own role and assign to his own user groups.
The text was updated successfully, but these errors were encountered: