+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / Security hole in SP2

Security hole in SP2

4 posts, 0 answered
  1. UI Crew
    UI Crew avatar
    151 posts
    Registered:
    27 Sep 2012
    03 Sep 2007
    Link to this post
    Hi,

    Something really annoying that I just discovered... If you give someone access to add users they can then go and add themselves to the administrators group, log out and in and then do everything.

    Is there any plan for this to be fixed soon... kinda makes security a bit unsecure.

    Cheers,

    Seth
  2. Bob
    Bob avatar
    330 posts
    Registered:
    24 Sep 2012
    03 Sep 2007
    Link to this post
    Hi Seth,

    Are you suggesting that adding a user to a role should be as a separate permission? What is the point to have the right to create users but not to assign them to roles? Could you explain how do you want user management organized?

    Your opinion is highly appreciated.

    Thanks,
    Bob
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. UI Crew
    UI Crew avatar
    151 posts
    Registered:
    27 Sep 2012
    03 Sep 2007
    Link to this post
    Hi,

    There is a number of situations in any application... especially when working for a client that you want to give the user the ability to add users but you don't want to give the the level of the "system administrator" which is the highest admin level in the system.

    For example... I often create a role for my clients that disables certain features that you just don't want them to touch... editing templates etc. to stop them from accidentially stuffing something up. These users however still need to be able add new employees etc without bothering me, also you may want to just hide features.

    However, if you give them the ability to add users in Sitefinity they automatically have the ability to add themselves to the administrator account and have access to settings and things you don't want them to have access to... it's almost like you need the ability to stop a user from assigning a role with higher privledges than they have in the system - don't know how you do that though?

    Or maybe you should consider a way to just protect the admin account.

    I was talking to Sean about this and he seemed to agree with me that there is a security issue there.

    I have just been looking around the forums and this fellow also seemed to share my concern - http://www.sitefinity.com/support/forums/support-forum-thread/b1043S-hgabk.aspx

    Yes so maybe just the administrators role should be protected as the "system admin"

    What do you think Bob?

    Cheers,

    Seth
  4. Bob
    Bob avatar
    330 posts
    Registered:
    24 Sep 2012
    03 Sep 2007
    Link to this post
    Hello Seth,

    Yes, I agree with you guys. As an easy fast solution to the problem we will allow only members to unrestricted roles to be able to add other users to such roles. Also, we will consider implementing security policies and organizational units. We will schedule these features after the release of 3.1 later this month and I will let you know about our decision.

    Best wishes,
    Bob
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
Register for webinar
4 posts, 0 answered