Security flaw with user roles
Hi!
In trying to rectify the problem with authors needing to be in editors-group, I found out that even if authors group is specifically denied to edit pages, a user that belong to both authors (that are denied from editing) and editors (as they are by default) will be able to edit the page and it's widgets.. and then send it for publishing.
1. create 2-step workflow
2. create user for editor role, and another user that has editor and author roles
3. set the permissions so that authors group is denied to edit page's or widgets (everything else than view was what I had)
4. create a page as editor-user (put single content widget with some text in it into the page), send it for approval
5. log in as author, edit the widget's text (shouldn't be allowed!) and send it for publishing
Hello Lasse,
I've been trying to reproduce your issue with the latest version of Sitefinity (official release of version 4.0) but I was not unable to. Here is a list of my steps:
1. On my system I have 2 users: "editor" (a member of the "Editors" role) and "author" (a member of both "Editors" and "Authors" roles).
2. I have an active 2-step workflow defined, approvers for level 1: Authors, approvers for level 2: Editors.
I have also tried the same scenario with no workflow defined and got similar results.
3. For Pages, under "Permissions for all pages", I've explicitly denied Authors to "Create widgets and layout elements" and to "Edit page content".
4. I logged in as "editor", created a page and placed a widget on it, saved the page ("request approval", or "published" it, depending on the system's active workflow status), and logged out.
5. I logged in as "author" (who is also a member of the "Editors" role), but was unable to edit the page created in step #4.
Please let me know if I'm missing something here, and whether you could to reproduce the problem with the latest version 4.0 (in which case please provide additional information).
Thank you.
edit: seems the copy & paste didn't work straight from SF.. never a good idea to press send just before putting computer away. Fixed now, added also the settings for editors-role to be shown.
I have the following set of rules for the role authors:
|
Authors |
|
Editors |
|||||||
Global Permissions |
Global Permissions |
|||||||||
Backend |
Allow |
Deny |
Backend |
Allow |
Deny |
|||||
Manage Users |
|
|
Manage Users |
|
|
|||||
Manage Roles |
|
|
Manage Roles |
|
|
|||||
View Permissions |
|
|
View Permissions |
|
|
|||||
Change permissions |
|
|
Change permissions |
|
|
|||||
View Configurations |
|
|
View Configurations |
|
|
|||||
Change Configurations |
|
|
Change Configurations |
|
|
|||||
Manage Labels |
|
|
Manage Labels |
|
|
|||||
Manage Files |
|
|
Manage Files |
|
|
|||||
Manage Licenses |
|
|
Manage Licenses |
|
|
|||||
Use in-line editing |
|
|
Use in-line editing |
|
|
|||||
Classification of content |
Classification of content |
|||||||||
Taxonomies |
Allow |
Deny |
Taxonomies |
Allow |
Deny |
|||||
View classification |
Allowed |
|
View classification |
|
|
|||||
Create classification |
Allowed |
|
Create classification |
|
|
|||||
Modify classification and manage classification items |
Allowed |
|
Modify classification and manage classification items |
Allowed |
|
|||||
Delete classification |
|
|
Delete classification |
Allowed |
|
|||||
Change classification owner |
|
|
Change classification owner |
Allowed |
|
|||||
Change classification permissions |
|
|
Change classification permissions |
|
|
|||||
News |
News |
|||||||||
|
Allow |
Deny |
|
Allow |
Deny |
|||||
View news |
Allowed |
|
View news |
|
|
|||||
Create news |
Allowed |
|
Create news |
Allowed |
|
|||||
Modify news |
Allowed |
|
Modify news |
Allowed |
|
|||||
Delete news |
|
|
Delete news |
Allowed |
|
|||||
Change news owner |
|
|
Change news owner |
Allowed |
|
|||||
Change news permissions |
|
|
Change news permissions |
|
|
|||||
|
|
|
||||||||
Comments |
Allow |
Deny |
Comments |
Allow |
Deny |
|||||
View comments |
|
|
View comments |
|
|
|||||
Write comments |
|
|
Write comments |
|
|
|||||
Modify comments |
|
|
Modify comments |
Allowed |
|
|||||
Delete comments |
|
|
Delete comments |
Allowed |
|
|||||
Change comment ownership |
|
|
Change comment ownership |
Allowed |
|
|||||
Change comment permissions |
|
|
Change comment permissions |
|
|
|||||
Blogs |
Blogs |
|||||||||
Blog |
Allow |
Deny |
Blog |
Allow |
Deny |
|||||
View a blog |
|
|
View a blog |
|
|
|||||
Create a blog |
Allowed |
|
Create a blog |
Allowed |
|
|||||
Delete blog and posts |
|
|
Delete blog and posts |
Allowed |
|
|||||
Change a blog's owner |
|
|
Change a blog's owner |
Allowed |
|
|||||
Change a blog's permissions |
|
|
Change a blog's permissions |
|
|
|||||
|
|
|
||||||||
BlogPost |
Allow |
Deny |
BlogPost |
Allow |
Deny |
|||||
View blog post |
|
|
View blog post |
|
|
|||||
Modify blog and manage posts |
Allowed |
|
Modify blog and manage posts |
Allowed |
|
|||||
Change blog post's owner |
|
|
Change blog post's owner |
Allowed |
|
|||||
Change blog post's permissions |
|
|
Change blog post's permissions |
|
|
|||||
|
|
|
||||||||
Comments |
Allow |
Deny |
Comments |
Allow |
Deny |
|||||
View comments |
|
|
View comments |
|
|
|||||
Write comments |
|
|
Write comments |
|
|
|||||
Modify comments |
|
|
Modify comments |
Allowed |
|
|||||
Delete comments |
|
|
Delete comments |
Allowed |
|
|||||
Change comment ownership |
|
|
Change comment ownership |
Allowed |
|
|||||
Change comment permissions |
|
|
Change comment permissions |
|
|
|||||
Events |
Events |
|||||||||
|
Allow |
Deny |
|
Allow |
Deny |
|||||
View event |
|
|
View event |
|
|
|||||
Create event |
Allowed |
|
Create event |
Allowed |
|
|||||
Modify event |
|
|
Modify event |
Allowed |
|
|||||
Delete event |
|
|
Delete event |
Allowed |
|
|||||
Change event owner |
|
|
Change event owner |
Allowed |
|
|||||
Change event permissions |
|
|
Change event permissions |
|
|
|||||
|
|
|
||||||||
Comments |
Allow |
Deny |
Comments |
Allow |
Deny |
|||||
View comments |
|
|
View comments |
|
|
|||||
Write comments |
|
|
Write comments |
|
|
|||||
Modify comments |
|
|
Modify comments |
Allowed |
|
|||||
Delete comments |
|
|
Delete comments |
Allowed |
|
|||||
Change comment ownership |
|
|
Change comment ownership |
Allowed |
|
|||||
Change comment permissions |
|
|
Change comment permissions |
|
|
|||||
Libraries |
Libraries |
|||||||||
Image |
Allow |
Deny |
Image |
Allow |
Deny |
|||||
View images |
|
|
View images |
|
|
|||||
Modify album and manage images |
Allowed |
|
Modify album and manage images |
Allowed |
|
|||||
Change image owner |
|
|
Change image owner |
Allowed |
|
|||||
Change image permissions |
|
|
Change image permissions |
|
|
|||||
|
|
|
||||||||
Album |
Allow |
Deny |
Album |
Allow |
Deny |
|||||
View album |
|
|
View album |
|
|
|||||
Create album |
|
|
Create album |
Allowed |
|
|||||
Delete album |
|
|
Delete album |
Allowed |
|
|||||
Change album owner |
|
|
Change album owner |
Allowed |
|
|||||
Change album permissions |
|
|
Change album permissions |
|
|
|||||
|
|
|
||||||||
Document |
Allow |
Deny |
Document |
Allow |
Deny |
|||||
View document |
|
|
View document |
|
|
|||||
Modify library and manage documents |
Allowed |
|
Modify library and manage documents |
Allowed |
|
|||||
Change document owner |
|
|
Change document owner |
Allowed |
|
|||||
Change document permissions |
|
|
Change document permissions |
|
|
|||||
|
|
|
||||||||
DocumentLibrary |
Allow |
Deny |
DocumentLibrary |
Allow |
Deny |
|||||
View document library |
|
|
View document library |
|
|
|||||
Create document library |
|
|
Create document library |
Allowed |
|
|||||
Delete document library |
|
|
Delete document library |
Allowed |
|
|||||
Change document library owner |
|
|
Change document library owner |
Allowed |
|
|||||
Change document library permissions |
|
|
Change document library permissions |
|
|
|||||
|
|
|
||||||||
Video |
Allow |
Deny |
Video |
Allow |
Deny |
|||||
View video |
|
|
View video |
|
|
|||||
Modify library and manage videos |
Allowed |
|
Modify library and manage videos |
Allowed |
|
|||||
Change video owner |
|
|
Change video owner |
Allowed |
|
|||||
Change video permissions |
|
|
Change video permissions |
|
|
|||||
|
|
|
||||||||
VideoLibrary |
Allow |
Deny |
VideoLibrary |
Allow |
Deny |
|||||
View video library |
|
|
View video library |
|
|
|||||
Create video library |
|
|
Create video library |
Allowed |
|
|||||
Delete video library |
|
|
Delete video library |
Allowed |
|
|||||
Change video library owner |
|
|
Change video library owner |
Allowed |
|
|||||
Change video library permissions |
|
|
Change video library permissions |
|
|
|||||
Forms |
Forms |
|||||||||
Forms |
Allow |
Deny |
Forms |
Allow |
Deny |
|||||
View |
Allowed |
|
View |
|
|
|||||
Create |
Allowed |
|
Create |
Allowed |
|
|||||
Modify |
Allowed |
|
Modify |
Allowed |
|
|||||
Delete |
|
|
Delete |
Allowed |
|
|||||
Change owner |
|
|
Change owner |
Allowed |
|
|||||
Change permissions |
|
|
Change permissions |
|
|
|||||
|
|
|
||||||||
Comments |
Allow |
Deny |
Comments |
Allow |
Deny |
|||||
View comments |
|
|
View comments |
|
|
|||||
Write comments |
|
|
Write comments |
|
|
|||||
Modify comments |
|
|
Modify comments |
|
|
|||||
Delete comments |
|
|
Delete comments |
|
|
|||||
Change comment ownership |
|
|
Change comment ownership |
|
|
|||||
Change comment permissions |
|
|
Change comment permissions |
|
|
|||||
Feeds & Notifications |
Feeds & Notifications |
|||||||||
Module prodiver: |
Module prodiver: |
|||||||||
|
|
|||||||||
Generic Content |
Generic Content |
|||||||||
|
Allow |
Deny |
|
Allow |
Deny |
|||||
View content |
Allowed |
|
View content |
|
|
|||||
Create content |
|
Explicitly denied |
Create content |
Allowed |
|
|||||
Modify content |
|
Explicitly denied |
Modify content |
Allowed |
|
|||||
Delete content |
|
Explicitly denied |
Delete content |
Allowed |
|
|||||
Change content owner |
|
Explicitly denied |
Change content owner |
Allowed |
|
|||||
Change content permissions |
|
Explicitly denied |
Change content permissions |
|
|
|||||
|
|
|
||||||||
Comments |
Allow |
Deny |
Comments |
Allow |
Deny |
|||||
View comments |
|
|
View comments |
|
|
|||||
Write comments |
|
|
Write comments |
|
|
|||||
Modify comments |
|
|
Modify comments |
Allowed |
|
|||||
Delete comments |
|
|
Delete comments |
Allowed |
|
|||||
Change comment ownership |
|
|
Change comment ownership |
Allowed |
|
|||||
Change comment permissions |
|
|
Change comment permissions |
|
|
|||||
Widget templates |
Widget templates |
|||||||||
Pages |
Allow |
Deny |
Pages |
Allow |
Deny |
|||||
View a page |
Allowed |
|
View a page |
|
|
|||||
Create widgets and layout elements |
|
Explicitly denied |
Create widgets and layout elements |
|
|
|||||
Edit page content |
|
Explicitly denied |
Edit page content |
|
|
|||||
Create a page |
|
Explicitly denied |
Create a page |
|
|
|||||
Modify a page |
|
Explicitly denied |
Modify a page |
|
|
|||||
Delete a page |
|
Explicitly denied |
Delete a page |
|
|
|||||
Change page owner |
|
Explicitly denied |
Change page owner |
|
|
|||||
Change page permissions |
|
Explicitly denied |
Change page permissions |
|
|
|||||
|
|
|
||||||||
PageTemplates |
Allow |
Deny |
PageTemplates |
Allow |
Deny |
|||||
View |
Allowed |
|
View |
|
|
|||||
Create |
|
Explicitly denied |
Create |
|
|
|||||
Modify |
|
Explicitly denied |
Modify |
Allowed |
|
|||||
Delete |
|
Explicitly denied |
Delete |
|
|
|||||
Change owner |
|
Explicitly denied |
Change owner |
|
|
|||||
Change permissions |
|
Explicitly denied |
Change permissions |
|
|
|||||
|
|
|
||||||||
Controls |
Allow |
Deny |
Controls |
Allow |
Deny |
|||||
View a widget |
Allowed |
|
View a widget |
|
|
|||||
Move a widget |
|
Explicitly denied |
Move a widget |
|
|
|||||
Edit widget properties |
|
Explicitly denied |
Edit widget properties |
|
|
|||||
Delete a widget. |
|
Explicitly denied |
Delete a widget. |
|
|
|||||
Change widget owner |
|
Explicitly denied |
Change widget owner |
|
|
|||||
Change widget permissions. |
|
Explicitly denied |
Change widget permissions. |
|
|
|||||
Search and Indexing |
Search and Indexing |
|||||||||
Module prodiver: |
Module prodiver: |
|||||||||
|
|
|||||||||
|
Allow |
Deny |
|
Allow |
Deny |
|||||
View |
|
|
View |
|
|
|||||
Create |
|
|
Create |
|
|
|||||
Modify |
|
|
Modify |
|
|
|||||
Delete |
|
|
Delete |
|
|
|||||
Change owner |
|
|
Change owner |
|
|
|||||
Change permissions |
|
|
Change permissions |
|
|
|||||
Hello Lasse,
Thank you for the additional info. I tried again to reproduce the problem, copying the permissions' settings in your post. However this does not include the permissions' settings for frontend pages (those are available only on the "Pages" section).
I again followed the steps as I described on my previous post, and being logged-in as author (who is a member of the Authors and of the Editors roles), I could not edit a page (created by an editor), as my page permissions explicitly deny Authors from editing the page, which is as expected.
Please provide additional information about the pages' permissions you've been using, and any additional details of the exact scenario you have followed in order to trigger the issue.
Thank you.
Hi Alon.
I have the following permissions for page that I created to repeat the flow again.. as editor: create page, drag 1 content box, edit to say "this will be edited", send for approval. Then as author: edit the text to "this was edited" and drag new content box, edited to say "this was added", and finally approve/send for publishing.
Who can...
Who can...
ContentType
|
ServiceUrl
|
Title
|
ResourceClassId
|
Who can...
Hello Lasse,
As I see now, following your permissions' settings for pages and workflow, it seems as if there are no explicit denials of any user/role.
Thus it is logical that a user assigned to both Authors *and* Editors roles should be able to enjoy the benefits of both. That is: creating, editing, sending for approval (publishing is allowed by the workflow rules only to Publishers thus they are the only ones who can approve and publish).
If one of the roles were explicitly denied to perform any action, a user who is assigned that role (regardless of the user being assigned additional roles) would be denied.
If there is any additional setting regarding pages and/or workflow which is explicitly denied in your system, and the behavior does not comply with the analysis above, please provide info.
Thanks.
Regards,
Alon Rotem
the Telerik team
Sorry to get back on this a bit late. Anyways.. I had explicit denies under the permissions for the role "authors", which I posted earlier on the 18th. The following part:
|
||||||||
Pages |
Allow |
Deny |
|
|||||
View a page |
Allowed |
|
|
|||||
Create widgets and layout elements |
|
Explicitly denied |
|
|||||
Edit page content |
|
Explicitly denied |
|
|||||
Create a page |
|
Explicitly denied |
|
|||||
Modify a page |
|
Explicitly denied |
|
|||||
Delete a page |
|
Explicitly denied |
|
|||||
Change page owner |
|
Explicitly denied |
|
|||||
Change page permissions |
|
Explicitly denied |
Hi Lasse,
Thanks for the feedback.
You are right in the sense that this list of permissions should take effect on denied users.
However, this permission's list relates to Widget Templates which are in fact not secured in our system, therefore in essence those permissions should not have appeared in the permissions' lists in the first place, hence a bug.
As I have specified in my previous posts, on other accounts- permissions related directly to editing pages and their respective controls do seem to behave as expected.
I opened a related task (id #106790) for removing the Widget Templates' permissions from the permission screens and for verification that all other pages' and controls' permissions indeed correspond to their designed behavior.