Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
fusiondirectory
fusiondirectory
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 39
    • Issues 39
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • fusiondirectory
  • fusiondirectoryfusiondirectory
  • Issues
  • #5252

Closed
Open
Opened Nov 24, 2016 by zhongfu@zhongfuReporter

User with 'editownpwd' or 'editowninfo' role should not be able to lock other accounts

On a clean install of OpenLDAP 2.4.42+dfsg and FusionDirectory 1.0.17 (from FusionDirectory jessie repo) on Ubuntu 16.04.1 LTS, users assigned the 'editownpwd' role (base only) are able to lock other users' accounts from the Users screen.

This should not be the case, as the user has only been assigned permissions to change their own password (verified by checking the 'editownpwd' role permissions), and yet they are able to lock accounts, including their own and admin accounts.

This bug has been tested with a new user that was created from within FusionDirectory and assigned the 'editownpwd' role. After logging in as the user and navigating to the 'Users' page, the user is able to lock other accounts by clicking the padlocks on the user entries.

(from redmine: issue id 5252, created on 2016-11-24, closed on 2016-12-05)

  • Relations:
    • relates #5276 (closed)
  • Changesets:
    • Revision 4c3d6ba9 by Côme Chilliet on 2016-12-05T09:55:56.000Z:
Fixes #5252 fixed default editownpwd ACL role
  • Revision 41ccf13b by Côme Chilliet on 2016-12-05T10:02:27.000Z:
Fixes #5252 fixed default editownpwd ACL role
  • Custom Fields:
    • Bug in version: 1.0.17
Assignee
Assign to
FusionDirectory 1.0.18
Milestone
FusionDirectory 1.0.18
Assign milestone
Time tracking
None
Due date
None
Reference: fusiondirectory/fd#5252