Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Robot listmasters can edit site templates #1224

Closed
svenseeberg opened this issue Aug 19, 2021 · 3 comments · Fixed by #1230
Closed

Robot listmasters can edit site templates #1224

svenseeberg opened this issue Aug 19, 2021 · 3 comments · Fixed by #1230
Labels
bug ready A PR is waiting to be merged. Close to be solved security
Milestone
6.2.66

Comments

@svenseeberg
Copy link

svenseeberg commented Aug 19, 2021
edited

A robot listmaster is able to copy a template and set scope to "site".
image

Version

6.2.40~dfsg-1+deb10u1

Installation method

Debian Buster package

Expected behavior

Robot listmasters should only be able to copy & edit templates in the robot and lists scope, not site scope. Only the Super listmasters should be able to change site (global) templates.

Actual behavior

A robot listmaster is able to copy a template and set scope to "site". The changes are then visible in all robots, even if they're not managed by the same robot listmaster.

Workaround

Remove write permissions to /etc/sympa/web_tt2. This will prevent robot listmaster from writing files to this directory. As the global listmaster is probably also the server admin, the server admin can write files to this directory.
@ikedas ikedas added this to the 6.2.66 milestone Aug 23, 2021
ikedas added a commit to ikedas/sympa that referenced this issue Aug 26, 2021
@ikedas
Bug: Normal (non-super) listmasters can edit site templates (sympa-co…
0a5c280 
…mmunity#1224)
@ikedas ikedas mentioned this issue Aug 26, 2021
Merged
@ikedas
Copy link
Member

ikedas commented Aug 26, 2021

Hi @svenseeberg ,

Could you please this patch to confirm it will fix the problem?

@ikedas ikedas added the ready A PR is waiting to be merged. Close to be solved label Aug 26, 2021
ikedas added a commit that referenced this issue Aug 30, 2021
@ikedas
Merge pull request #1230 from ikedas/issue-1224 by ikedas
e816a04 
Bug: Normal (non-super) listmasters can edit site templates (#1224)
@svenseeberg
Copy link
Author

Thanks a lot. I did not have a test server at hand so quickly and the production server is hard to patch as it is running with the Debian Buster package.

@ikedas
Copy link
Member

ikedas commented Aug 31, 2021

@svenseeberg , it's ok. The patch was included in the recent beta release, and we will try testing it. Thank you for reporting bug!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug ready A PR is waiting to be merged. Close to be solved security
Projects
None yet
Milestone
6.2.66
Development

Successfully merging a pull request may close this issue.

Bug: Normal (non-super) listmasters can edit site templates (#1224) ikedas/sympa
2 participants
@ikedas @svenseeberg