itflow
itflow copied to clipboard
itflow-org
Security between role views
Hi,
I'm testing the roles and views associated with them. I discovered we can access pages that is not in a role.
Example: IT Contractor is not able to view Accounting or Sales sections. (I know there is dev on dashboard, so I didn't include that).
If the user know ITFlow, the URL can be manualy typed.
In my mind, the security that differ each roles have to be strict.
Let me know what is the roadmap.
Regards.
@Wikiphil This is true for now roles only hide things like Menus. We are working on adding role checks on each module. This will take quite a bit of time to implement and test, ill keep this open for tracking.
I think we could use a high level matrix of the access levels / roles and the allowed access to modules. Not sure if this is defined or documented anywhere outside of just hiding menus?
Just a reminder here we'd need to be validating the correct access level on both the access to pages and to post.php (i.e right now anyone can delete anything using the correct post.php GET params).
yes this is true too. So knowing this only add trusted users for now. Although another we do checks on post.php for company_id so we do have some company segregation.
Been thinking about this more...
Not sure what the roadmap is on this but I feel that clients should not have users for the ITFlow system in the same way that admins/techs/contractors do.
I think for purposes of client contacts managing their tickets/invoices/payments, this would best be done from the client contact database table with a client portal. This should be a separate part of the site (e.g. /guest/), with separate login logic & validation. This might be a little more work (we can copy a lot of what we've got!) but rather than having to "lockdown" the admin side and try and restrict what a client can see and access, we create a small portal that based on their role in the client company, allows clients to see/log/update tickets & quotes/invoices.
This means that anyone that is a contact will automatically have some basic functionality to the client portal as soon as they are added as a contact (and a method of logging in is set). This also opens the door for client login via SSO much more easily. Additionally, it means we don't have to try and relate a client user account to a client contact.
The way I see this happening is that a client accesses itflow/(guest?)/login.php and authenticates (password, via an iDP, etc.) and then gets their session information set (as we do currently), but instead of using $_SESSION['logged'] we'd use something like $_SESSION['guest_logged']. We'd also set their client id, contact id, etc, etc. They are then redirected to something like /itflow/guest/portal.php If a client were to access /tickets.php for example, they'd just be seen by the web app as an unauthenticated user (no $_SESSION['logged'] set) and redirected to log in (on the admin side).
I'm very hesitant to think we can cover restricting access to absolutely everything. We'll inevitably miss something and clients will be able to see/edit information they're not supposed to. Just my two cents.
@wrongecho This, makes it much more doable and I totally agree with having the client portal separate and tailored to the client.
Just for anyone following this: Johnny has started work on redefining the roles. The access matrix we initially came up with is below. This (or something similar) would be enforced both through restricting menus, pages and validating access for post actions (e.g. password changes (#361))
Heyy, @Wikiphil. This should now be fixed. Would you mind doing some testing to confirm we didn't miss anything please?
I’ll check as soon I have some free time! 😊
De : wrongecho @.> Envoyé : 16 avril 2022 02:44 À : itflow-org/itflow @.> Cc : Philippe @.>; Mention @.> Objet : Re: [itflow-org/itflow] Security between role views (Issue #321)
Heyy, @Wikiphilhttps://github.com/Wikiphil. This should now be fixed. Would you mind doing some testing to confirm we didn't miss anything please?
— Reply to this email directly, view it on GitHubhttps://github.com/itflow-org/itflow/issues/321#issuecomment-1100587913, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUDDHAB3SFFQ7N3NM5SDOYLVFJOTLANCNFSM5MSVVW7Q. You are receiving this because you were mentioned.Message ID: @.@.>>
Hey @Wikiphil, I'm going to close this off as I think we got everything.
If we missed anything, please feel free to re-open :)
Updated matrix - techs should have access to read/edit Sales (quotes/invoices).
