Revolution: Users and Security Issue

Created on 12 Mar 2018  路  4Comments  路  Source: modxcms/revolution

Summary

User which can edit users (and this User is not Administrator) must have the 'namespaces' permission. If not, then this User will get the error message about permission denied every time when user edit page loaded.
Permission of 'namespaces' allows to view and edit at once. So this User with 'namespaces' permission can edit namespaces by link '?a=workspaces/namespace'.
This is not good.

Step to reproduce

Disable 'namespaces' permission and go to edit user (?a=security/user/update&id=).
Enable 'namespaces' permission and go to edit user (?a=security/user/update&id=).

Observed behavior

When the 'namespaces' permission is disabled:
On edit user data page (?a=security/user/update&id=) User will get the error message 'permission denied'. Because the 'namespaces' permission need to one of lists on the 'Settings' tab.

When the 'namespaces' permission is enabled:
On edit user data page (?a=security/user/update&id=) User will NOT get the error message 'permission denied' and on the 'Settings' tab the list of namespaces will shown.
But this user also can go right to namespases management page by direct link with '?a=workspaces/namespace' and this User will get FULL access like edit, remove or add namespaces (not view only).

Expected behavior

The 'namespaces' permission disable will not generate the error message on user update page.
OR
For example, the namespaces access control will separated by two permissions like one 'list' and second 'edit'.
'List' will access to view list of namespaces only without access to '?a=workspaces/namespace' page,
'Edit' will take full access
OR
Improve functionality of Form Customization where Administrator can disable 'Settings' tab for user update page (?a=security/user/update&id=). No lists - No permissions needed :)

Environment

MODX Revolution 2.6.1-pl

bug area-acl
Source
picture akimsullec

Most helpful comment

Updated

picture akimsullec on 13 Mar 2018
👍2

All 4 comments

I find the description and steps here very difficult to follow. Can you please provide an example that we can follow step-by-step to see this problem? You should also use the provided template, which you failed to do.

OptimusCrime picture OptimusCrime on 12 Mar 2018
👍1

Updated

akimsullec picture akimsullec on 13 Mar 2018
👍2

Thanks for the update!

Jako picture Jako on 13 Mar 2018

Not sure how to fix this. A fairly pragmatic solution would be to check MODx.perm.workspaces when defining the tbar on the grid. Basically something like xtype: MODx.perm.workspaces ? 'modx-combo-namespaces' : 'hidden'.

Downside聽seems to be that users may not be able of getting to settings in a different namespace in that case, because they can't select a namespace to begin with. But having access to settings, but not namespaces, seems a little weird to me, so perhaps that's fine? Likely if the user were to try to create a new setting, or update one through the window instead of the inline edit, they'd get the same permission error in the form there...

Mark-H picture Mark-H on 20 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sdrenth picture sdrenth  路  3Comments
sdrenth picture sdrenth  路  3Comments
netProphET picture netProphET  路  3Comments
winformatic picture winformatic  路  4Comments
sottwell picture sottwell  路  3Comments