Skip to content
GitLab
Closed
Issue created by zhongfu@zhongfuReporter

User with 'editownpwd' or 'editowninfo' role should not be able to lock other accounts

On a clean install of OpenLDAP 2.4.42+dfsg and FusionDirectory 1.0.17 (from FusionDirectory jessie repo) on Ubuntu 16.04.1 LTS, users assigned the 'editownpwd' role (base only) are able to lock other users' accounts from the Users screen.

This should not be the case, as the user has only been assigned permissions to change their own password (verified by checking the 'editownpwd' role permissions), and yet they are able to lock accounts, including their own and admin accounts.

This bug has been tested with a new user that was created from within FusionDirectory and assigned the 'editownpwd' role. After logging in as the user and navigating to the 'Users' page, the user is able to lock other accounts by clicking the padlocks on the user entries.

(from redmine: issue id 5252, created on 2016-11-24, closed on 2016-12-05)

  • Relations:
  • Changesets:
    • Revision 4c3d6ba9 by Côme Chilliet on 2016-12-05T09:55:56.000Z:
Fixes #5252 fixed default editownpwd ACL role
  • Revision 41ccf13b by Côme Chilliet on 2016-12-05T10:02:27.000Z:
Fixes #5252 fixed default editownpwd ACL role
  • Custom Fields:
    • Bug in version: 1.0.17