Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin with limited role edit permissions can remove any role from a user (unknowingly) #4528

Closed
seand7565 opened this issue Aug 26, 2022 · 1 comment · Fixed by #4609
Closed

Admin with limited role edit permissions can remove any role from a user (unknowingly) #4528

seand7565 opened this issue Aug 26, 2022 · 1 comment · Fixed by #4609
Labels
type:bug Error, flaw or fault

Comments

@seand7565
Copy link
Contributor

seand7565 commented Aug 26, 2022
edited
Loading

Consider the following situation:

  • A CX user with limited admin access, which restricts role editing to specific roles (with below permissions as an example)
        can [:read, :manage], ::Spree::Role
        cannot :manage, ::Spree::Role, name: 'admin'
  • The CX user views an admin user, and only sees the roles they are allowed to manage - no admin role, because they don't have permission to manage it (restricted here)
  • The CX changes a non-admin role, hits update

In the users_controller update action, we update the roles here (as part of the user update via params) and here (specifically setting the roles) - they both work the same way, replacing all the roles the user has with the ones that the admin user has selected.

But since we're replacing the roles, and the CX user didn't have access to see the admin roles, the admin user loses admin access (since the params did not include the admin role id) - and CX is none the wiser of the mistake!

This happened to me the other day and made me think I was in the process of being fired because I unexpectedly lost admin access. Please, for the sake of my heart, let's fix this! 😄

(also we should probably not update roles twice in the same action)
@waiting-for-dev waiting-for-dev added the type:bug Error, flaw or fault label Aug 29, 2022
waiting-for-dev added a commit to nebulab/solidus that referenced this issue Sep 8, 2022
@waiting-for-dev
Don't remove non-accessible roles when assigning new accessible roles
43340a7 
When the current ability logged in assigned new roles to which they have
access to a user, other non-accessible roles were removed. We're now
ensuring that non-accessible roles are not touched.

It also fixes the roles being saved twice: once on the generic
`user#update` and a second on `#set_roles`. Now, that only happens in
the latter situation.

Fixes solidusio#4528
@waiting-for-dev waiting-for-dev mentioned this issue Sep 8, 2022
Merged
4 tasks
@waiting-for-dev
Copy link
Contributor

It should be fixed on #4609. @seand7565, please, take a look. I hope that helps with your heart's health 🙂

waiting-for-dev added a commit that referenced this issue Sep 9, 2022
@waiting-for-dev
Don't remove non-accessible roles when assigning new accessible roles
ffa0374 
When the current ability logged in assigned new roles to which they have
access to a user, other non-accessible roles were removed. We're now
ensuring that non-accessible roles are not touched.

It also fixes the roles being saved twice: once on the generic
`user#update` and a second on `#set_roles`. Now, that only happens in
the latter situation.

Fixes #4528
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug Error, flaw or fault
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't remove non-accessible roles when assigning new accessible roles nebulab/solidus
2 participants
@waiting-for-dev @seand7565