Skip to content

Acl: New user accounts assigned to system generated role bypasses security checks #457

@oyeaussie

Description

@oyeaussie

Registered Users role is system generated at the time of install and the permissions array is empty in that role.

When we create a new user, we assign them a role and also push default permissions (all 0s). This should bypass security check.

######## Issue imported from Gitea ########

Details

Gitea Issue ID : 520
State : open
Created : 2024-04-15T17:28:21+10:00

Issue Description

Registered Users role is system generated at the time of install and the permissions array is empty in that role.

When we create a new user, we assign them a role and also push default permissions (all 0s). This should bypass security check.

Timeline

Label : Added P1 on 2024-04-15T17:28:21+10:00.
Label : Added Securitybug on 2024-04-15T17:28:21+10:00.
Commit Reference: !520 - Added proper checks.
Commit Reference: !520 - check in basecomponent

Metadata

Metadata

Assignees

Labels

P1If not fixed, why even bother developingSecuritybugAnd... you got hacked because of thisinvalidIssue's issue does not exists or is fixed in another issue which we are unaware of

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions