core
core copied to clipboard
Published
20 hours ago •
dotCMS
dotCMS
Permission Hierarchy Review
Parent Issue
https://github.com/dotCMS/private-issues/issues/31
Task
I got the following from @mbiuki
Roles and tools
As a limited user with access to the config tool group, I am able to change the access for the CMS Administrator role, which doesn’t make sense as I should not be able to limit access for admins.
Proposed Objective
Security & Privacy
Proposed Priority
Priority 3 - Average
Acceptance Criteria
from @mbiuki
possible acceptance criteria
- Audit and adjust role permissions to ensure limited users cannot alter higher-level roles or access restricted tools
- Disable or hide actions for which users do not have permissions and provide clear indications of these restrictions.
External Links... Slack Conversations, Support Tickets, Figma Designs, etc.
- original issue in wrong repo
- Parent issue that was the source for this issue being created: https://github.com/dotCMS/private-issues/issues/31
- duplicate of that parent issue https://github.com/dotCMS/core/issues/27909
- PR that fixed the original security flaw https://github.com/dotCMS/core/pull/27912
- deep dive in slack convo
Assumptions & Initiation Needs
No response
Quality Assurance Notes & Workarounds
No response
Sub-Tasks & Estimates
No response
