Security flaw with user roles
Hi!
In trying to rectify the problem with authors needing to be in editors-group, I found out that even if authors group is specifically denied to edit pages, a user that belong to both authors (that are denied from editing) and editors (as they are by default) will be able to edit the page and it's widgets.. and then send it for publishing.
1. create 2-step workflow
2. create user for editor role, and another user that has editor and author roles
3. set the permissions so that authors group is denied to edit page's or widgets (everything else than view was what I had)
4. create a page as editor-user (put single content widget with some text in it into the page), send it for approval
5. log in as author, edit the widget's text (shouldn't be allowed!) and send it for publishing
Hello Lasse,
I've been trying to reproduce your issue with the latest version of Sitefinity (official release of version 4.0) but I was not unable to. Here is a list of my steps:
1. On my system I have 2 users: "editor" (a member of the "Editors" role) and "author" (a member of both "Editors" and "Authors" roles).
2. I have an active 2-step workflow defined, approvers for level 1: Authors, approvers for level 2: Editors.
I have also tried the same scenario with no workflow defined and got similar results.
3. For Pages, under "Permissions for all pages", I've explicitly denied Authors to "Create widgets and layout elements" and to "Edit page content".
4. I logged in as "editor", created a page and placed a widget on it, saved the page ("request approval", or "published" it, depending on the system's active workflow status), and logged out.
5. I logged in as "author" (who is also a member of the "Editors" role), but was unable to edit the page created in step #4.
Please let me know if I'm missing something here, and whether you could to reproduce the problem with the latest version 4.0 (in which case please provide additional information).
Thank you.
edit: seems the copy & paste didn't work straight from SF.. never a good idea to press send just before putting computer away. Fixed now, added also the settings for editors-role to be shown. Authors Editors Global Permissions Global Permissions Backend Allow Deny Backend Allow Deny Manage Users Manage Users Manage Roles Manage Roles View Permissions View Permissions Change permissions Change permissions View Configurations View Configurations Change Configurations Change Configurations Manage Labels Manage Labels Manage Files Manage Files Manage Licenses Manage Licenses Use in-line editing Use in-line editing Classification of content Classification of content Taxonomies Allow Deny Taxonomies Allow Deny View classification Allowed View classification Create classification Allowed Create classification Modify classification and manage classification items Allowed Modify classification and manage classification items Allowed Delete classification Delete classification Allowed Change classification owner Change classification owner Allowed Change classification permissions Change classification permissions News News Allow Deny Allow Deny View news Allowed View news Create news Allowed Create news Allowed Modify news Allowed Modify news Allowed Delete news Delete news Allowed Change news owner Change news owner Allowed Change news permissions Change news permissions Comments Allow Deny Comments Allow Deny View comments View comments Write comments Write comments Modify comments Modify comments Allowed Delete comments Delete comments Allowed Change comment ownership Change comment ownership Allowed Change comment permissions Change comment permissions Blogs Blogs Blog Allow Deny Blog Allow Deny View a blog View a blog Create a blog Allowed Create a blog Allowed Delete blog and posts Delete blog and posts Allowed Change a blog's owner Change a blog's owner Allowed Change a blog's permissions Change a blog's permissions BlogPost Allow Deny BlogPost Allow Deny View blog post View blog post Modify blog and manage posts Allowed Modify blog and manage posts Allowed Change blog post's owner Change blog post's owner Allowed Change blog post's permissions Change blog post's permissions Comments Allow Deny Comments Allow Deny View comments View comments Write comments Write comments Modify comments Modify comments Allowed Delete comments Delete comments Allowed Change comment ownership Change comment ownership Allowed Change comment permissions Change comment permissions Events Events Allow Deny Allow Deny View event View event Create event Allowed Create event Allowed Modify event Modify event Allowed Delete event Delete event Allowed Change event owner Change event owner Allowed Change event permissions Change event permissions Comments Allow Deny Comments Allow Deny View comments View comments Write comments Write comments Modify comments Modify comments Allowed Delete comments Delete comments Allowed Change comment ownership Change comment ownership Allowed Change comment permissions Change comment permissions Libraries Libraries Image Allow Deny Image Allow Deny View images View images Modify album and manage images Allowed Modify album and manage images Allowed Change image owner Change image owner Allowed Change image permissions Change image permissions Album Allow Deny Album Allow Deny View album View album Create album Create album Allowed Delete album Delete album Allowed Change album owner Change album owner Allowed Change album permissions Change album permissions Document Allow Deny Document Allow Deny View document View document Modify library and manage documents Allowed Modify library and manage documents Allowed Change document owner Change document owner Allowed Change document permissions Change document permissions DocumentLibrary Allow Deny DocumentLibrary Allow Deny View document library View document library Create document library Create document library Allowed Delete document library Delete document library Allowed Change document library owner Change document library owner Allowed Change document library permissions Change document library permissions Video Allow Deny Video Allow Deny View video View video Modify library and manage videos Allowed Modify library and manage videos Allowed Change video owner Change video owner Allowed Change video permissions Change video permissions VideoLibrary Allow Deny VideoLibrary Allow Deny View video library View video library Create video library Create video library Allowed Delete video library Delete video library Allowed Change video library owner Change video library owner Allowed Change video library permissions Change video library permissions Forms Forms Forms Allow Deny Forms Allow Deny View Allowed View Create Allowed Create Allowed Modify Allowed Modify Allowed Delete Delete Allowed Change owner Change owner Allowed Change permissions Change permissions Comments Allow Deny Comments Allow Deny View comments View comments Write comments Write comments Modify comments Modify comments Delete comments Delete comments Change comment ownership Change comment ownership Change comment permissions Change comment permissions Feeds & Notifications Feeds & Notifications Module prodiver: Module prodiver: Generic Content Generic Content Allow Deny Allow Deny View content Allowed View content Create content Explicitly denied Create content Allowed Modify content Explicitly denied Modify content Allowed Delete content Explicitly denied Delete content Allowed Change content owner Explicitly denied Change content owner Allowed Change content permissions Explicitly denied Change content permissions Comments Allow Deny Comments Allow Deny View comments View comments Write comments Write comments Modify comments Modify comments Allowed Delete comments Delete comments Allowed Change comment ownership Change comment ownership Allowed Change comment permissions Change comment permissions Widget templates Widget templates Pages Allow Deny Pages Allow Deny View a page Allowed View a page Create widgets and layout elements Explicitly denied Create widgets and layout elements Edit page content Explicitly denied Edit page content Create a page Explicitly denied Create a page Modify a page Explicitly denied Modify a page Delete a page Explicitly denied Delete a page Change page owner Explicitly denied Change page owner Change page permissions Explicitly denied Change page permissions PageTemplates Allow Deny PageTemplates Allow Deny View Allowed View Create Explicitly denied Create Modify Explicitly denied Modify Allowed Delete Explicitly denied Delete Change owner Explicitly denied Change owner Change permissions Explicitly denied Change permissions Controls Allow Deny Controls Allow Deny View a widget Allowed View a widget Move a widget Explicitly denied Move a widget Edit widget properties Explicitly denied Edit widget properties Delete a widget. Explicitly denied Delete a widget. Change widget owner Explicitly denied Change widget owner Change widget permissions. Explicitly denied Change widget permissions. Search and Indexing Search and Indexing Module prodiver: Module prodiver: Allow Deny Allow Deny View View Create Create Modify Modify Delete Delete Change owner Change owner Change permissions Change permissions
I have the following set of rules for the role authors:
The users (author, editor) does not have spesific setting, nor does editors role. I had also used a third group as the final approver (created a role called publishers for that purpose).
The version used is 4.0.1098.0 with a fresh project (happened on upgraded, and on retry with a clean one as well).
Hello Lasse,
Thank you for the additional info. I tried again to reproduce the problem, copying the permissions' settings in your post. However this does not include the permissions' settings for frontend pages (those are available only on the "Pages" section).
I again followed the steps as I described on my previous post, and being logged-in as author (who is a member of the Authors and of the Editors roles), I could not edit a page (created by an editor), as my page permissions explicitly deny Authors from editing the page, which is as expected.
Please provide additional information about the pages' permissions you've been using, and any additional details of the exact scenario you have followed in order to trigger the issue.
Thank you.
Hi Alon. Who can... Who can... Who can...
I have the following permissions for page that I created to repeat the flow again.. as editor: create page, drag 1 content box, edit to say "this will be edited", send for approval. Then as author: edit the text to "this was edited" and drag new content box, edited to say "this was added", and finally approve/send for publishing.
This item inherits permissions from its parent.
View a page (?)
Create widgets and layout elements (?)
Edit page content (?)
Create a page (?)
Modify a page (?)
Delete a page (?)
Change page owner (?)
Change page permissions (?)
I also have a third user (publisher, belonging to editors + publishers group.. can edit pages just the same), which is for publishing (approver for level 2). I'm running this thru the integrated server (ie launched from project manager). The project is filesystem based.
I have also tried waiting some time after each step to see if it was depending on timing, but that didn't cause any different result. To edit, I'm using Chrome browser, build 9.0.957.47 beta (although seems there is update waiting, will retry with the new version just in case, and edit this post to indicate results).
Another is that I originally had the pages workflow on the workflows folder (was going to try to edit it directly), but it has since disappeared. In that regard the 2 step workflow is only set for pages and the notifications are not enabled. The permissions for the workflows are following...
Permissions for workflow
And the settings for workflows (regarding pagenode) are...
Telerik.Sitefinity.Pages.Model.PageNode
ContentType
ServiceUrl
Title
ResourceClassId
Let me know if I can provide anything else to help reproduce this. Do you want a screencast ? I could try to produce it, showing the error..
Following settings are set for all pages:
Permissions for all pages
View a page (?)
Create widgets and layout elements (?)
Edit page content (?)
Create a page (?)
Modify a page (?)
Delete a page (?)
Change page owner (?)
Change page permissions (?)
Hello Lasse,
As I see now, following your permissions' settings for pages and workflow, it seems as if there are no explicit denials of any user/role.
Thus it is logical that a user assigned to both Authors *and* Editors roles should be able to enjoy the benefits of both. That is: creating, editing, sending for approval (publishing is allowed by the workflow rules only to Publishers thus they are the only ones who can approve and publish).
If one of the roles were explicitly denied to perform any action, a user who is assigned that role (regardless of the user being assigned additional roles) would be denied.
If there is any additional setting regarding pages and/or workflow which is explicitly denied in your system, and the behavior does not comply with the analysis above, please provide info.
Thanks.
Regards,
Alon Rotem
the Telerik team
Sorry to get back on this a bit late. Anyways.. I had explicit denies under the permissions for the role "authors", which I posted earlier on the 18th. The following part:
Pages Allow Deny View a page Allowed Create widgets and layout elements Explicitly denied Edit page content Explicitly denied Create a page Explicitly denied Modify a page Explicitly denied Delete a page Explicitly denied Change page owner Explicitly denied Change page permissions Explicitly denied
Widget templates
Shouldn't that deny the access to modify pages, for anyone underneath the role of authors ? Even if these explicit denies have not been copied to default pages security settings, I have explicitly denied parts of the sections by going to Settings -> Administration -> Permissions and then selecting authors-role and setting all except view permission denied for some groups (Generic Content, Pages, PageTemplates and Controls). In other words - I have gone to create the denies by roles -> what is denied instead of what -> who can/can't.. but isn't this why these settings are exposed where I accessed them ? (It would be easier for maintenance to have both ways enabled, so depending what needs to be done you don't need to go thru many settings at separate places.. change permission for rule or for object that is)
Hi Lasse,
Thanks for the feedback.
You are right in the sense that this list of permissions should take effect on denied users.
However, this permission's list relates to Widget Templates which are in fact not secured in our system, therefore in essence those permissions should not have appeared in the permissions' lists in the first place, hence a bug.
As I have specified in my previous posts, on other accounts- permissions related directly to editing pages and their respective controls do seem to behave as expected.
I opened a related task (id #106790) for removing the Widget Templates' permissions from the permission screens and for verification that all other pages' and controls' permissions indeed correspond to their designed behavior.