More in this section
Forums / Bugs & Issues / Big Security Issue/Hole

Big Security Issue/Hole

The forums are in read-only mode. In case that you want to directly contact the Progress Sitefinity team use the support center. In our Google Plus group you can find more than one thousand Sitefinity developers discussing different topics. For the Stack Overflow threads don’t forget to use the “Sitefinity” tag.
2 posts, 0 answered
  1. Singularity
    Singularity avatar
    2 posts
    06 Aug 2007
    22 Aug 2007
    Link to this post
    I have been evaluating the latest version of Sitefinity and ran into the following setup and issue with roles and permissions.

    "Administrators" is being reserved for our dev company as a master role with only our people added as users to that account.  This was we can limit access to sections, file manager, and permissions from our client.

    I created a "Company Administrators" role for our client to use as their highest level.  This role was restricted from ManagePermissions, ManageFiles, and EditTemplates.  However it was given access to ManageUsers so they can create the users for their organization.

    However, when I log in as this new role and create a new user, I'm allowed to add that user to the "Administrators" role which has access to everything.  I logged in as this new user and indeed I did have access to everything.

    I think this would be a common setup for a development company building sites for their clients.  We don't want them getting in there an overwriting files or messing with templates for obvious reasons.

    In addition to this fix, it would be nice to limit access to the uploading of files within the editor window.  There may be times where a user can edit a page but not be able to mess around with images, flash, or media.
  2. Yasen
    Yasen avatar
    121 posts
    18 May 2013
    23 Aug 2007
    Link to this post
    Hello Sheds,

    Currently this is the behavior of the Sitefinity Users Administration. Therefore the name of the permission is "Manage Users". However, we will consider your request for the future improvements of the Users Administration in Sitefinity.

    As for your second request, unfortunately Sitefinity still does not provide such functionality. We have plans to add a security trimming for the editor window features, but currently we cannot tell you in which release it will be included.

    Kind regards,
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
2 posts, 0 answered