server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon hashtopolis

[BUG]: Access-Group-Management

Open ObsidianOracle opened this issue 9 months ago • 2 comments

Version Information

0.14.3

Hashcat

No response

Description

Access-group-management looks different than in the old PHP UI. You see Access Groups you are not matched to and not a member of. Same for agents from different groups.

ObsidianOracle avatar Mar 28 '25 10:03 ObsidianOracle

Explanation from @s3inlc needed to rework that.

ObsidianOracle avatar Apr 30 '25 08:04 ObsidianOracle

There is currently no way to add new agents or users to an access group in the new UI, must be added

gluafamichl avatar May 09 '25 06:05 gluafamichl

Scenario

Created two users (user1, user2), put them into separate access groups (ag1, ag2). So whatever they create in tasks/hashlists etc. should be distinct and not visible by the other user.

Wrongfully shown:

  • [x] When creating a hashlist, in the dropdown for the access group, all are shown, not only the ones the user is member of (e.g. user1 still sees the access group of user2 in the dropdown)
  • [x] When user1 creates a task with his ag1 hashlist, user2 gets the task shown in his tasks list, but he should not see it.
  • [x] User2 can access the edit page of the task of user1 which he is not supposed to be able to. When trying to save the edits, the access is checked, but the user2 should not be able to see anything of that task.
  • [x] Via the task which is visible to user2, he can also access the information of the hashlist he is not supposed to see.
  • [x] An agent is registered, then removed from the default access group and added to the one of user2 (ag2). When then logged in as user1, he can see the agent and access the details (which he shouldn't).
  • [x] In the file upload form, users see the access groups they are not member of (which they shouldn't).
  • [x] User1 added a wordlist and associated it with ag1, user2 is able to see the file (which he shouldn't).
  • [x] User2 also can see the wordlist from ag1 in his task creation selection (which he shouldn't).
  • [x] When an agent starts working on the task of user1, user2 also sees the active chunks (which he shouldn't).

Improvements proposed

  • When editing an access group, instead of having the full input form for add user and add agent on top, create a button somewhere on each table (users, agents) named for example 'Add Users' to click which then opens a modal or similar with the input field to search and add users/agents.

s3inlc avatar Jun 23 '25 08:06 s3inlc

Added the ability to add and remove users and agents from the access groups. Currently, removing is only possible via the table bulk actions as the current implementation of the three dot menu is not enhancement friendly and should likely be reworked before that.

Also feedback from @s3inlc is to hide the dropdown selects for adding users and agents behind modals and move it directly to the corresponding tables to have a cleaner UI with less requirement for scrolling

cv5ch avatar Jun 23 '25 08:06 cv5ch

move the suggestion for improve on the frontend into a separate issue.

s3inlc avatar Jun 25 '25 07:06 s3inlc