OrchardCore icon indicating copy to clipboard operation
OrchardCore copied to clipboard
verified publisher icon OrchardCMS

AssignRoleToUsers should not be implied by EditUsers

Open MikeAlhayek opened this issue 1 year ago • 1 comments

In the permission structure we currently have. The AssignRoleToUsers permission should NOT be implied by EditUser. AssignRoleToUsers should be explicitly granted instead.

Change

https://github.com/OrchardCMS/OrchardCore/blob/dd03cf8c998b014303728e20b398239e49ff3dc8/src/OrchardCore/OrchardCore.Users.Core/CommonPermissions.cs#L24

to

    public static readonly Permission AssignRoleToUsers = new("AssignRoleToUsers", "Assign any role to users", true);

MikeAlhayek avatar Sep 19 '24 00:09 MikeAlhayek

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.

github-actions[bot] avatar Sep 19 '24 00:09 github-actions[bot]

I agree with the issue description.

However I think it may be fine as a non-breaking change. Kind of a fix. Would the fix also add the permission by default to the roles that have Edit Users?

sebastienros avatar Nov 08 '24 18:11 sebastienros

If we provide a migration to grant the permission for all the roles, then we won't break anything. But we would have to make sure that migration does run for new tenants.

MikeAlhayek avatar Nov 08 '24 23:11 MikeAlhayek