[webservice] User with admin ACL on department can ls objects at root base in WS
Users that has been declared admin on a department can ls objects at root base through WS
Distribution Name and Version
Plugin with the defect
PHP version used
PHP 7.0.22-0ubuntu0.17.04.1 (cli) (built: Aug 8 2017 22:03:30)
Origin of php packages
Official ubuntu repositories
Steps to Reproduce
- set up a tree of departments
- create users bob and alice in base root (under a
- as fd-admin, assign admin ACL to bob on a department that contains sub-departments.
- as bob, try to assign admin ACL to alice on a sub-department : you should not be able to access the root of users branch to pick her up as you're not supposed to see these users,
- using web service, logged in as bob, we can see alice and other user when calling ls method on ou=users, (tested with JMeter or fusiondirectory-shell), and fetch all its ldap
Same behaviour as in UI (Access denied message)
User can be listed, and user can access their dn and ldap attributes.
Reproduces how often: 100%
We have noticed this issue while looking for a simple way to automatically allow users that are admin on department to see users at root base without giving read rights on
ou=users,<base> to everyone or asking FD users to assign another ACL alongside the admin ACL (through UI or WS), as it may get forgotten (2 steps instead of one) or desynchronized (old admins still having read rights even though they are no longer admins...).