DO NOT REPLY New: - AC Auth controls admin area

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915

           Summary: AC Auth controls admin area
           Product: Lenya
           Version: Trunk
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Access Control
        AssignedTo: devlenya.apache.org
        ReportedBy: rfrovarpapache.org


One of my testers has found an easy way to escalate rights
in Lenya. If someone
has admin rights to a subtree, they can use these rights to
gain full access to
the admin tab. This is not desirable as one would grant
admin on a subtree so
that the sub-admin can administer rights on that subtree.

To replicate:
Login as lenya
Grant editor group admin to editors under AC Auth from
index
Logout
Login as alice
Goto admin tab
Create users
Go back to site
Change to sibling of index/home
Go back to admin, you will now be blocked (so long as you
didn't add alice to
admin group, which you easily could have).

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915


rfrovarpapache.org changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
   Target Milestone|2.0.1                       |2.0




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915





------- Additional Comments From rfrovarpapache.org  2007-11-20 09:11 -------
It would appear that the problem is admin is typically under
the authoring
subtree. There is an admin subtree-policy.acml, however the
URL is never
switched over to that area. Manually switching authoring to
admin does work,
however the authoring tab changes name to admin and the site
tab stays in the
admin area as well. 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915





------- Additional Comments From andreasapache.org  2007-11-20 09:20 -------
Strange, why isn't this blocked by the usecase policies? The
per-URL protection
of the admin area is obsolete. Actually there should be no
admin area anymore.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915





------- Additional Comments From andreasapache.org  2007-11-20 09:30 -------
(In reply to comment #0)
> One of my testers has found an easy way to escalate
rights in Lenya. If someone
> has admin rights to a subtree, they can use these
rights to gain full access to
> the admin tab. This is not desirable as one would grant
admin on a subtree so
> that the sub-admin can administer rights on that
subtree.

IMO this would mean that we need two
"administrator" roles:

- a website administrator who is allowed to grant/deny roles
etc.
- an application administrator who is allowed to execute the
admin.* usecases

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915





------- Additional Comments From rfrovarpapache.org  2007-11-20 09:42 -------
(In reply to comment #5)
>
> 
> IMO this would mean that we need two
"administrator" roles:
> 
> - a website administrator who is allowed to grant/deny
roles etc.
> - an application administrator who is allowed to
execute the admin.* usecases

That could work. We obviously wouldn't want to give editors
the rights to
tab.ac*. And giving reviewers the rights doesn't make sense
either. So it would
appear that we do need another role. 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915





------- Additional Comments From andreasapache.org  2007-11-21 03:08 -------
(In reply to comment #6)
> (In reply to comment #5)
> >
> > 
> > IMO this would mean that we need two
"administrator" roles:
> > 
> > - a website administrator who is allowed to
grant/deny roles etc.
> > - an application administrator who is allowed to
execute the admin.* usecases
> 
> That could work. We obviously wouldn't want to give
editors the rights to
> tab.ac*. And giving reviewers the rights doesn't make
sense either. So it would
> appear that we do need another role. 

I'm working on it.



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43
915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43915


andreasapache.org changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From andreasapache.org  2007-11-21 03:17 -------
I introduced a method Role.isAssignable() and a role
"sitemanager" with a group
of the same name. All users have to update their policies
accordingly.

Please test and re-open if this doesn't resolve the issue.
TIA!

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org