Uploaded image for project: 'Opencast'
  1. MH-12990

User switching: Privilege escalation too restrictive

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed and reviewed
    • Affects Version/s: 5.0
    • Fix Version/s: 6.0
    • Component/s: Backend Software
    • Labels:
      None
    • Severity:
      Incorrectly Functioning Without Workaround
    • Steps to reproduce:
      Hide
      Steps to reproduce:
      1. Create user Alice that has organisation administrator privileges and ROLE_SUDO
      2. Create user Bob that also has organisation administrator privileges
      3. Try to perform an request as Alice using user switchting to Bob

       Actual Results:
       An unauthorized request is trying to switch to an admin user, from 'Alice' to 'Bob'
       
       Expected Results:
      Since Alice has organization administrator privileges and ROLE_SUDO, Alice should be allowed to switch to other users that have organization administrator privileges - this is not a privilege escalation since Alice does have the required privileges
       
       Workaround (if any):
       None





      Show
      Steps to reproduce: 1. Create user Alice that has organisation administrator privileges and ROLE_SUDO 2. Create user Bob that also has organisation administrator privileges 3. Try to perform an request as Alice using user switchting to Bob  Actual Results:  An unauthorized request is trying to switch to an admin user, from 'Alice' to 'Bob'    Expected Results: Since Alice has organization administrator privileges and ROLE_SUDO, Alice should be allowed to switch to other users that have organization administrator privileges - this is not a privilege escalation since Alice does have the required privileges    Workaround (if any):  None

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              staubesv Sven Stauber
              Reporter:
              staubesv Sven Stauber
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases