Limit password reset to self-service users #36
Labels
Comments
|
permission-add's target filter only supports groups. It makes sense, it's not one's privilege that somebody else is allowed to write to one's password field. |
tiran
added a commit
that referenced
this issue
Aug 26, 2015
The portal was able to reset all passwords except for admin users. Password resets and future self-service features must be limited to self-service users. The patch drops the 'System: Change User password' permission and replaces it with two additional permissions for users and stage users. It also introduces a new group for self-service capable users and an automember rule. When a self-registered user is approved by an admin, it is automatically added to the self-service group. The patch also renames the portal user, role and privilege to be more consistent with 'self-service' naming convention. Closes #36
tiran
added a commit
that referenced
this issue
Aug 26, 2015
The portal was able to reset all passwords except for admin users. Password resets and future self-service features must be limited to self-service users. The patch drops the 'System: Change User password' permission and replaces it with two additional permissions for users and stage users. It also introduces a new group for self-service capable users and an automember rule. When a self-registered user is approved by an admin, it is automatically added to the self-service group. The patch also renames the portal user, role and privilege to be more consistent with 'self-service' naming convention. Closes #36
tiran
added a commit
that referenced
this issue
Aug 26, 2015
The portal was able to reset all passwords except for admin users. Password resets and future self-service features must be limited to self-service users. The patch drops the 'System: Change User password' permission and replaces it with two additional permissions for users and stage users. It also introduces a new group for self-service capable users and an automember rule. When a self-registered user is approved by an admin, it is automatically added to the self-service group. The patch also renames the portal user, role and privilege to be more consistent with 'self-service' naming convention. Closes #36
tiran
added a commit
that referenced
this issue
Aug 26, 2015
The portal was able to reset all passwords except for admin users. Password resets and future self-service features must be limited to self-service users. The patch drops the 'System: Change User password' permission and replaces it with two additional permissions for users and stage users. It also introduces a new group for self-service capable users and an automember rule. When a self-registered user is approved by an admin, it is automatically added to the self-service group. The patch also renames the portal user, role and privilege to be more consistent with 'self-service' naming convention. Closes #36
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For now the portal can reset the password of any user. The permission can be abused to break into accounts with elevated permissions. The ACI for 'System: Change User password' already forbids password changes to members of the admin group. There might be systems with other critical users.
The 'System: Change User password' permission should be replaced by a more limited permission that is restricted to self-service users. In order to limit the scope we have to introduce a set of additional group/role/permission
role: Self-Service Userpermission: 'System: Change Self-Service User password'Self-registered users should be automatically added to the new group, too. It also allows the admin to track self-registered users more easily.
The text was updated successfully, but these errors were encountered: