[Bug] Permission Control

[BetterYan]

Version 6.5.0

17 April 2019 Normal user can add himself with an admin role. It can be reproduced with below sequence

1. Set a normal user as admin. We call it User1
2. Login with Uer1
3. Change role of User1, disable the admi role with another Admin account (It can be done with chrome incognito feature / Or user another browser)
4. Refresh the User1 web page. The respositories are OK. But the User button is still available for User1. He can add admin role to himself. <--- This is the point

[willdean]

Thanks for this - this type of problem is very common with the kind of cookie auth which ASP.NET (and Core) applications use. The issue is that User1 has a cookie which says he's an admin, and there's nothing about revoking his admin rights (via another session) which can directly reach out to his browser and revoke the cookie.

The only solution is to re-validate the cookie against the database on every access, which isn't usually considered to be very good for performance.

However, I'd say that Bonobo is not usually used in very high-volume environments, and it would probably make sense to make sure that the cookie is revalidated more often.

[BetterYan]

@willdean To my opinion, it's a minor bug that that 'normal' user can edit user profie at the fronend. But the backend side accepts the 'set as admin' request. It's the major issue.