-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
Closed
Labels
issue: bugIssue reporting a bugIssue reporting a bugissue: securityIssue reporting a security problemIssue reporting a security problemseverity: mediumIf it breaks the basic use of the product but can be worked aroundIf it breaks the basic use of the product but can be worked aroundsource: core:adminSource is core/admin packageSource is core/admin packagestatus: confirmedConfirmed by a Strapi Team member or multiple community membersConfirmed by a Strapi Team member or multiple community members
Description
Bug report
Required System information
- Node.js version: 16.17.1
- NPM version: 9.1.3
- Strapi version: 4.9.0
- Database: Postgresql
- Operating system: macOS 12.5.1
- Is your project Javascript or Typescript: Typescript
Describe the bug
Strapi made "Custom Roles & Permissions" available for Free in Strapi v4.8. I am dealing with the exactly same issue as nicely described here on Strapi forum:
https://forum.strapi.io/t/strapi-role-hierarchy-restrict-the-ability-to-create-new-users-with-the-superadmin-role-for-users-of-a-custom-role/4691
TLDR: user with custom role, that can create users, can create ANY kind of user, including Super Admin, which is security problem.
sylvainbaronnet
Metadata
Metadata
Assignees
Labels
issue: bugIssue reporting a bugIssue reporting a bugissue: securityIssue reporting a security problemIssue reporting a security problemseverity: mediumIf it breaks the basic use of the product but can be worked aroundIf it breaks the basic use of the product but can be worked aroundsource: core:adminSource is core/admin packageSource is core/admin packagestatus: confirmedConfirmed by a Strapi Team member or multiple community membersConfirmed by a Strapi Team member or multiple community members