Describe the bug
User can elevate themselves over their current permission level.
To Reproduce
Steps to reproduce the behavior:
- Create a user and assign to a group that does not have admin privileges, but can edit users.
- login as the new user.
- edit yourself and change your permission for "Admin" from "Inherit" to "Grant"
Expected behavior
Edit a user such as change their location, reset their password, disable their account. But not grand them access rights above your own.
Server:
- Snipe-IT Version: v4.7.6 - build 4143 (master)
- Ubuntu
- Apache
Further Information
I am hiding the sections that we are not currently using (such as components) so that the UI stays as clean and as simple to use as possible. This loop hole allows people that can edit users to also turn on the hidden sections of the software.
tomholovis
All 21 comments
@tomholovis I tried to reproduce the result but was unsuccessful. I did the following since I am working from a vanilla install.
- Create a group with permission to view reports and assets, also view, create, and edit users.
- Create and assign the user to the test group
- From a different browser, log in with the user
Let me know if there are additional permissions that need to be added to produce the result that you are experiencing.
EarlRamirez
on 31 Aug 2019
@EarlRamirez thanks for testing this. I am also working on a fresh install (I am trying to create a template VM image).
I create the group "test group". And give the the same permissions as yourself.
I create the user "test" and assign them to "test group".
I login with a different browser as "test".
I then navigate to people and select the edit button on myself (the user "test").
I can then select the Permissions tab and give myself any permissions I want other than super user.
How is the behaviour that you see different? Can you also edit your own permissions?
tomholovis
on 1 Sep 2019
@tomholovis, I just realise that I was on the vanilla version from https://github.com/EarlRamirez/snipeit_iso. I will upgrade from 4.6.5 to 4.7.6 and try again.
GitHub
Up and running with Snipe-IT. Contribute to EarlRamirez/snipeit_iso development by creating an account on GitHub.
EarlRamirez
on 1 Sep 2019
Confirmed its a bug, sent an email to Snipe-IT security team as instructed here
EarlRamirez
on 1 Sep 2019
Thanks. I missed that!
tomholovis
on 1 Sep 2019
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 2 Nov 2019
Did this get fixed?
tomholovis
on 2 Nov 2019
Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!
stale[bot]
on 2 Nov 2019
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!
stale[bot]
on 1 Jan 2020
@EarlRamirez - did you spot if this got fixed?
tomholovis
on 2 Jan 2020
Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!
stale[bot]
on 2 Jan 2020
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!
stale[bot]
on 3 Mar 2020
@snipe - did this get fixed?
tomholovis
on 3 Mar 2020
Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!
stale[bot]
on 3 Mar 2020
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!
stale[bot]
on 2 May 2020
@snipe - did this get fixed?
tomholovis
on 5 May 2020
Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!
stale[bot]
on 5 May 2020
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!
stale[bot]
on 4 Jul 2020
This issue has been automatically closed because it has not had recent activity. If you believe this is still an issue, please confirm that this issue is still happening in the most recent version of Snipe-IT and reply to this thread to re-open it.
stale[bot]
on 11 Jul 2020
I'll try this one more time. @snipe did this get fixed?
This is the last time I'm poking this thread as I'm not using the platform for future projects.
tomholovis
on 13 Jul 2020
I believe this was fixed many versions ago.
snipe
on 14 Jul 2020
Related issues
laTruffe79
路
4Comments
sopheaouk
路
3Comments
snipe
路
3Comments
Rungea96
路
4Comments
mauroaltamura
路
5Comments