1-888-365-2779
+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / Security flaw with user roles

Security flaw with user roles

8 posts, 1 answered
  1. Lasse
    Lasse avatar
    30 posts
    Registered:
    08 Jun 2012
    17 Jan 2011
    Link to this post
    Hi!

    In trying to rectify the problem with authors needing to be in editors-group, I found out that even if authors group is specifically denied to edit pages, a user that belong to both authors (that are denied from editing) and editors (as they are by default) will be able to edit the page and it's widgets.. and then send it for publishing.

    1. create 2-step workflow
    2. create user for editor role, and another user that has editor and author roles
    3. set the permissions so that authors group is denied to edit page's or widgets (everything else than view was what I had)
    4. create a page as editor-user (put single content widget with some text in it into the page), send it for approval
    5. log in as author, edit the widget's text (shouldn't be allowed!) and send it for publishing 
  2. Alon Rotem
    Alon Rotem avatar
    26 posts
    Registered:
    29 Feb 2016
    17 Jan 2011
    Link to this post
    Hello Lasse,

    I've been trying to reproduce your issue with the latest version of Sitefinity (official release of version 4.0) but I was not unable to. Here is a list of my steps:

    1. On my system I have 2 users: "editor" (a member of the "Editors" role) and "author" (a member of both "Editors" and "Authors" roles).
    2. I have an active 2-step workflow defined, approvers for level 1: Authors, approvers for level 2: Editors.
    I have also tried the same scenario with no workflow defined and got similar results.
    3. For Pages, under "Permissions for all pages", I've explicitly denied Authors to "Create widgets and layout elements" and to "Edit page content".
    4. I logged in as "editor", created a page and placed a widget on it, saved the page ("request approval", or "published" it, depending on the system's active workflow status), and logged out.
    5. I logged in as "author" (who is also a member of the "Editors" role), but was unable to edit the page created in step #4.

    Please let me know if I'm missing something here, and whether you could to reproduce the problem with the latest version 4.0 (in which case please provide additional information).

    Thank you.

    Regards,
    Alon Rotem
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Lasse
    Lasse avatar
    30 posts
    Registered:
    08 Jun 2012
    18 Jan 2011
    Link to this post
    edit: seems the copy & paste didn't work straight from SF.. never a good idea to press send just before putting computer away. Fixed now, added also the settings for editors-role to be shown.

    I have the following set of rules for the role authors:

    Authors

    Editors

    Global Permissions

    Global Permissions

    Backend

    Allow

    Deny

    Backend

    Allow

    Deny

    Manage Users

     

     

    Manage Users

     

     

    Manage Roles

     

     

    Manage Roles

     

     

    View Permissions

     

     

    View Permissions

     

     

    Change permissions

     

     

    Change permissions

     

     

    View Configurations

     

     

    View Configurations

     

     

    Change Configurations

     

     

    Change Configurations

     

     

    Manage Labels

     

     

    Manage Labels

     

     

    Manage Files

     

     

    Manage Files

     

     

    Manage Licenses

     

     

    Manage Licenses

     

     

    Use in-line editing

     

     

    Use in-line editing

     

     

    Classification of content

    Classification of content

    Taxonomies

    Allow

    Deny

    Taxonomies

    Allow

    Deny

    View classification

    Allowed

     

    View classification

     

     

    Create classification

    Allowed

     

    Create classification

     

     

    Modify classification and manage classification items

    Allowed

     

    Modify classification and manage classification items

    Allowed

     

    Delete classification

     

     

    Delete classification

    Allowed

     

    Change classification owner

     

     

    Change classification owner

    Allowed

     

    Change classification permissions

     

     

    Change classification permissions

     

     

    News

    News

     

    Allow

    Deny

     

    Allow

    Deny

    View news

    Allowed

     

    View news

     

     

    Create news

    Allowed

     

    Create news

    Allowed

     

    Modify news

    Allowed

     

    Modify news

    Allowed

     

    Delete news

     

     

    Delete news

    Allowed

     

    Change news owner

     

     

    Change news owner

    Allowed

     

    Change news permissions

     

     

    Change news permissions

     

     

     

     

     

    Comments

    Allow

    Deny

    Comments

    Allow

    Deny

    View comments

     

     

    View comments

     

     

    Write comments

     

     

    Write comments

     

     

    Modify comments

     

     

    Modify comments

    Allowed

     

    Delete comments

     

     

    Delete comments

    Allowed

     

    Change comment ownership

     

     

    Change comment ownership

    Allowed

     

    Change comment permissions

     

     

    Change comment permissions

     

     

    Blogs

    Blogs

    Blog

    Allow

    Deny

    Blog

    Allow

    Deny

    View a blog

     

     

    View a blog

     

     

    Create a blog

    Allowed

     

    Create a blog

    Allowed

     

    Delete blog and posts

     

     

    Delete blog and posts

    Allowed

     

    Change a blog's owner

     

     

    Change a blog's owner

    Allowed

     

    Change a blog's permissions

     

     

    Change a blog's permissions

     

     

     

     

     

    BlogPost

    Allow

    Deny

    BlogPost

    Allow

    Deny

    View blog post

     

     

    View blog post

     

     

    Modify blog and manage posts

    Allowed

     

    Modify blog and manage posts

    Allowed

     

    Change blog post's owner

     

     

    Change blog post's owner

    Allowed

     

    Change blog post's permissions

     

     

    Change blog post's permissions

     

     

     

     

     

    Comments

    Allow

    Deny

    Comments

    Allow

    Deny

    View comments

     

     

    View comments

     

     

    Write comments

     

     

    Write comments

     

     

    Modify comments

     

     

    Modify comments

    Allowed

     

    Delete comments

     

     

    Delete comments

    Allowed

     

    Change comment ownership

     

     

    Change comment ownership

    Allowed

     

    Change comment permissions

     

     

    Change comment permissions

     

     

    Events

    Events

     

    Allow

    Deny

     

    Allow

    Deny

    View event

     

     

    View event

     

     

    Create event

    Allowed

     

    Create event

    Allowed

     

    Modify event

     

     

    Modify event

    Allowed

     

    Delete event

     

     

    Delete event

    Allowed

     

    Change event owner

     

     

    Change event owner

    Allowed

     

    Change event permissions

     

     

    Change event permissions

     

     

     

     

     

    Comments

    Allow

    Deny

    Comments

    Allow

    Deny

    View comments

     

     

    View comments

     

     

    Write comments

     

     

    Write comments

     

     

    Modify comments

     

     

    Modify comments

    Allowed

     

    Delete comments

     

     

    Delete comments

    Allowed

     

    Change comment ownership

     

     

    Change comment ownership

    Allowed

     

    Change comment permissions

     

     

    Change comment permissions

     

     

    Libraries

    Libraries

    Image

    Allow

    Deny

    Image

    Allow

    Deny

    View images

     

     

    View images

     

     

    Modify album and manage images

    Allowed

     

    Modify album and manage images

    Allowed

     

    Change image owner

     

     

    Change image owner

    Allowed

     

    Change image permissions

     

     

    Change image permissions

     

     

     

     

     

    Album

    Allow

    Deny

    Album

    Allow

    Deny

    View album

     

     

    View album

     

     

    Create album

     

     

    Create album

    Allowed

     

    Delete album

     

     

    Delete album

    Allowed

     

    Change album owner

     

     

    Change album owner

    Allowed

     

    Change album permissions

     

     

    Change album permissions

     

     

     

     

     

    Document

    Allow

    Deny

    Document

    Allow

    Deny

    View document

     

     

    View document

     

     

    Modify library and manage documents

    Allowed

     

    Modify library and manage documents

    Allowed

     

    Change document owner

     

     

    Change document owner

    Allowed

     

    Change document permissions

     

     

    Change document permissions

     

     

     

     

     

    DocumentLibrary

    Allow

    Deny

    DocumentLibrary

    Allow

    Deny

    View document library

     

     

    View document library

     

     

    Create document library

     

     

    Create document library

    Allowed

     

    Delete document library

     

     

    Delete document library

    Allowed

     

    Change document library owner

     

     

    Change document library owner

    Allowed

     

    Change document library permissions

     

     

    Change document library permissions

     

     

     

     

     

    Video

    Allow

    Deny

    Video

    Allow

    Deny

    View video

     

     

    View video

     

     

    Modify library and manage videos

    Allowed

     

    Modify library and manage videos

    Allowed

     

    Change video owner

     

     

    Change video owner

    Allowed

     

    Change video permissions

     

     

    Change video permissions

     

     

     

     

     

    VideoLibrary

    Allow

    Deny

    VideoLibrary

    Allow

    Deny

    View video library

     

     

    View video library

     

     

    Create video library

     

     

    Create video library

    Allowed

     

    Delete video library

     

     

    Delete video library

    Allowed

     

    Change video library owner

     

     

    Change video library owner

    Allowed

     

    Change video library permissions

     

     

    Change video library permissions

     

     

    Forms

    Forms

    Forms

    Allow

    Deny

    Forms

    Allow

    Deny

    View

    Allowed

     

    View

     

     

    Create

    Allowed

     

    Create

    Allowed

     

    Modify

    Allowed

     

    Modify

    Allowed

     

    Delete

     

     

    Delete

    Allowed

     

    Change owner

     

     

    Change owner

    Allowed

     

    Change permissions

     

     

    Change permissions

     

     

     

     

     

    Comments

    Allow

    Deny

    Comments

    Allow

    Deny

    View comments

     

     

    View comments

     

     

    Write comments

     

     

    Write comments

     

     

    Modify comments

     

     

    Modify comments

     

     

    Delete comments

     

     

    Delete comments

     

     

    Change comment ownership

     

     

    Change comment ownership

     

     

    Change comment permissions

     

     

    Change comment permissions

     

     

    Feeds & Notifications

    Feeds & Notifications

    Generic Content

    Generic Content

     

    Allow

    Deny

     

    Allow

    Deny

    View content

    Allowed

     

    View content

     

     

    Create content

     

    Explicitly denied

    Create content

    Allowed

     

    Modify content

     

    Explicitly denied

    Modify content

    Allowed

     

    Delete content

     

    Explicitly denied

    Delete content

    Allowed

     

    Change content owner

     

    Explicitly denied

    Change content owner

    Allowed

     

    Change content permissions

     

    Explicitly denied

    Change content permissions

     

     

     

     

     

    Comments

    Allow

    Deny

    Comments

    Allow

    Deny

    View comments

     

     

    View comments

     

     

    Write comments

     

     

    Write comments

     

     

    Modify comments

     

     

    Modify comments

    Allowed

     

    Delete comments

     

     

    Delete comments

    Allowed

     

    Change comment ownership

     

     

    Change comment ownership

    Allowed

     

    Change comment permissions

     

     

    Change comment permissions

     

     

    Widget templates

    Widget templates

    Pages

    Allow

    Deny

    Pages

    Allow

    Deny

    View a page

    Allowed

     

    View a page

     

     

    Create widgets and layout elements

     

    Explicitly denied

    Create widgets and layout elements

     

     

    Edit page content

     

    Explicitly denied

    Edit page content

     

     

    Create a page

     

    Explicitly denied

    Create a page

     

     

    Modify a page

     

    Explicitly denied

    Modify a page

     

     

    Delete a page

     

    Explicitly denied

    Delete a page

     

     

    Change page owner

     

    Explicitly denied

    Change page owner

     

     

    Change page permissions

     

    Explicitly denied

    Change page permissions

     

     

     

     

     

    PageTemplates

    Allow

    Deny

    PageTemplates

    Allow

    Deny

    View

    Allowed

     

    View

     

     

    Create

     

    Explicitly denied

    Create

     

     

    Modify

     

    Explicitly denied

    Modify

    Allowed

     

    Delete

     

    Explicitly denied

    Delete

     

     

    Change owner

     

    Explicitly denied

    Change owner

     

     

    Change permissions

     

    Explicitly denied

    Change permissions

     

     

     

     

     

    Controls

    Allow

    Deny

    Controls

    Allow

    Deny

    View a widget

    Allowed

     

    View a widget

     

     

    Move a widget

     

    Explicitly denied

    Move a widget

     

     

    Edit widget properties

     

    Explicitly denied

    Edit widget properties

     

     

    Delete a widget.

     

    Explicitly denied

    Delete a widget.

     

     

    Change widget owner

     

    Explicitly denied

    Change widget owner

     

     

    Change widget permissions.

     

    Explicitly denied

    Change widget permissions.

     

     

    Search and Indexing

    Search and Indexing

     

    Allow

    Deny

     

    Allow

    Deny

    View

     

     

    View

     

     

    Create

     

     

    Create

     

     

    Modify

     

     

    Modify

     

     

    Delete

     

     

    Delete

     

     

    Change owner

     

     

    Change owner

     

     

    Change permissions

     

     

    Change permissions

     

     



    The users (author, editor) does not have spesific setting, nor does editors role. I had also used a third group as the final approver (created a role called publishers for that purpose).
    The version used is 4.0.1098.0 with a fresh project (happened on upgraded, and on retry with a clean one as well).
  4. Alon Rotem
    Alon Rotem avatar
    26 posts
    Registered:
    29 Feb 2016
    19 Jan 2011
    Link to this post
    Hello Lasse,

    Thank you for the additional info. I tried again to reproduce the problem, copying the permissions' settings in your post. However this does not include the permissions' settings for frontend pages (those are available only on the "Pages" section).
    I again followed the steps as I described on my previous post, and being logged-in as author (who is  a member of the Authors and of the Editors roles), I could not edit a page (created by an editor), as my page permissions explicitly deny Authors from editing the page, which is as expected.

    Please provide additional information about the pages' permissions you've been using, and any additional details of the exact scenario you have followed in order to trigger the issue.

    Thank you.

    Best wishes,
    Alon Rotem
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Lasse
    Lasse avatar
    30 posts
    Registered:
    08 Jun 2012
    20 Jan 2011
    Link to this post
    Hi Alon.

    I have the following permissions for page that I created to repeat the flow again.. as editor: create page, drag 1 content box, edit to say "this will be edited", send for approval. Then as author: edit the text to "this was edited" and drag new content box, edited to say "this was added", and finally approve/send for publishing.

    This item inherits permissions from its parent.

    Who can...

    • View a page (?)

      • Everyone

      • Create widgets and layout elements (?)

        • Designers
        • Editors
        • Owner

        • Edit page content (?)

          • Designers
          • Editors
          • Owner

          • Create a page (?)

            • Authors
            • Designers
            • Editors

            • Modify a page (?)

              • Designers
              • Editors
              • Owner

              • Delete a page (?)

                • Designers
                • Editors
                • Owner

                • Change page owner (?)

                  • Designers
                  • Editors

                  • Change page permissions (?)

                    • Administrators only



                    I also have a third user (publisher, belonging to editors + publishers group.. can edit pages just the same), which is for publishing (approver for level 2). I'm running this thru the integrated server (ie launched from project manager). The project is filesystem based.
                    I have also tried waiting some time after each step to see if it was depending on timing, but that didn't cause any different result. To edit, I'm using Chrome browser, build 9.0.957.47 beta (although seems there is update waiting, will retry with the new version just in case, and edit this post to indicate results).
                    Another is that I originally had the pages workflow on the workflows folder (was going to try to edit it directly), but it has since disappeared. In that regard the 2 step workflow is only set for pages and the notifications are not enabled. The permissions for the workflows are following...

                    Permissions for workflow

                    Who can...

                    • View workflow (?)

                      • Everyone

                        Change

                      • Create workflow (?)

                        • Authors
                        • Editors

                          Change

                        • Modify workflow (?)

                          • Authors
                          • Editors
                          • Owner
                          • Publishers

                            Change

                          • Delete workflow (?)

                            • Editors
                            • Owner

                              Change

                            • Change workflow owner (?)

                              • Editors

                                Change

                              • Change workflow permissions (?)

                                • Administrators only

                                  Change


                                And the settings for workflows (regarding pagenode) are...

                                Telerik.Sitefinity.Pages.Model.PageNode


                                Let me know if I can provide anything else to help reproduce this. Do you want a screencast ? I could try to produce it, showing the error.. 

                                Following settings are set for all pages:

                                Permissions for all pages

                                Who can...

                                • View a page (?)

                                  • Everyone

                                  • Create widgets and layout elements (?)

                                    • Designers
                                    • Editors
                                    • Owner

                                    • Edit page content (?)

                                      • Designers
                                      • Editors
                                      • Owner

                                      • Create a page (?)

                                        • Authors
                                        • Designers
                                        • Editors

                                        • Modify a page (?)

                                          • Designers
                                          • Editors
                                          • Owner

                                          • Delete a page (?)

                                            • Designers
                                            • Editors
                                            • Owner

                                            • Change page owner (?)

                                              • Designers
                                              • Editors

                                              • Change page permissions (?)

                                                • Administrators only

                                              • Alon Rotem
                                                Alon Rotem avatar
                                                26 posts
                                                Registered:
                                                29 Feb 2016
                                                20 Jan 2011
                                                Link to this post
                                                Hello Lasse,

                                                As I see now, following your permissions' settings for pages and workflow, it seems as if there are no explicit denials of any user/role.
                                                Thus it is logical that a user assigned to both Authors *and* Editors roles should be able to enjoy the benefits of both. That is: creating, editing, sending for approval (publishing is allowed by the workflow rules only to Publishers thus they are the only ones who can approve and publish).
                                                If one of the roles were explicitly denied to perform any action, a user who is assigned that role (regardless of the user being assigned additional roles) would be denied.
                                                If there is any additional setting regarding pages and/or workflow which is explicitly denied in your system, and the behavior does not comply with the analysis above, please provide info.

                                                Thanks.

                                                Regards,
                                                Alon Rotem
                                                the Telerik team
                                                Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
                                              • Lasse
                                                Lasse avatar
                                                30 posts
                                                Registered:
                                                08 Jun 2012
                                                26 Jan 2011
                                                Link to this post
                                                Sorry to get back on this a bit late. Anyways.. I had explicit denies under the permissions for the role "authors", which I posted earlier on the 18th. The following part:


                                                Widget templates


                                                Pages

                                                Allow

                                                Deny



                                                View a page

                                                Allowed

                                                 


                                                Create widgets and layout elements

                                                 

                                                Explicitly denied


                                                Edit page content

                                                 

                                                Explicitly denied


                                                Create a page

                                                 

                                                Explicitly denied


                                                Modify a page

                                                 

                                                Explicitly denied


                                                Delete a page

                                                 

                                                Explicitly denied


                                                Change page owner

                                                 

                                                Explicitly denied


                                                Change page permissions

                                                 

                                                Explicitly denied





                                                Shouldn't that deny the access to modify pages, for anyone underneath the role of authors ? Even if these explicit denies have not been copied to default pages security settings, I have explicitly denied parts of the sections by going to Settings -> Administration -> Permissions and then selecting authors-role and setting all except view permission denied for some groups (Generic Content, Pages, PageTemplates and Controls). In other words - I have gone to create the denies by roles -> what is denied instead of what -> who can/can't.. but isn't this why these settings are exposed where I accessed them ? (It would be easier for maintenance to have both ways enabled, so depending what needs to be done you don't need to go thru many settings at separate places.. change permission for rule or for object that is)
                                              • Alon Rotem
                                                Alon Rotem avatar
                                                26 posts
                                                Registered:
                                                29 Feb 2016
                                                03 Feb 2011
                                                Link to this post
                                                Hi Lasse,

                                                Thanks for the feedback.

                                                You are right in the sense that this list of permissions should take effect on denied users.
                                                However, this permission's list relates to Widget Templates which are in fact not secured in our system, therefore in essence those permissions should not have appeared in the permissions' lists in the first place, hence a bug.
                                                As I have specified in my previous posts, on other accounts- permissions related directly to editing pages and their respective controls do seem to behave as expected.
                                                I opened a related task (id #106790) for removing the Widget Templates' permissions from the permission screens and for verification that all other pages' and controls' permissions indeed correspond to their designed behavior.

                                                All the best,
                                                Alon Rotem
                                                the Telerik team
                                                Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
                                                Answered
                                              8 posts, 1 answered