Welcome to Geeklog, Anonymous Tuesday, December 24 2024 @ 08:17 am EST
Geeklog Forums
Security leak - group permissions
johnmackey
Anonymous
I have a topic named HEADLINES. The owner is Admin, and the topic belongs to group SuperUser (a custom group). It does NOT belong to "all users" or anything like that.
I have constructed a test user who belongs to only ONE custom group called RegularUser. In Group Manager this group has no Security Groups or Rights checked at all. Theoretically this user cannot do anything but read stories. Yet this user is able to submit stories freely to HEADLINES!
Why is this permitted when he is not part of the group at all?
This seems like a serious security leak!
JJ
6
5
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
I would assume that you still have the "anonymous" and "members" permissions checked for that topic. Uncheck them and the topic will not be visible for your "RegularUser" group.
Think of the equivalence in a typical Unix file system: A folder (topic) can be owned by someone who's in particular group, but you can still make it world-readable (anonymous checkbox).
Besides, when you say "Theoretically this user cannot do anything but read stories" - that's not correct. When a user can see a topic, s/he can submit stories for that topic. That's the way Geeklog works, it doesn't support "read-only topics".
bye, Dirk
bye, Dirk
7
7
Quote
All times are EST. The time is now 08:17 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content