View Issue Details

Jump to NotesJump to History
This bug affects 3 person(s).
 16
IDProjectCategoryView StatusDate SubmittedLast Update
19414Bug reportsUser / Groups / Rolespublic2024-02-13 16:212024-10-16 20:07
ReporterDenisChenu Assigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Product Version5.6.x 
Summary19414: Roles management : No way to assign minimal roles by «admin user»
Description

Since fix https://bugs.limesurvey.org/view.php?id=18977 (18977: Improper Authorization in add role function leads to privilege escalation)
An admin user can not give role with only "Manage survey" for example

Steps To Reproduce

Steps to reproduce

Create role with "Create survey" + "Use theme"
Create an user with

  • All User permssion
  • All Surveys permission
  • All theme permission

As this user : create an user and try to give the role 'SurveyCreator'

Expected result

The user can give this roles

Actual result

No way to give this roles

TagsNo tags attached.
Bug heat16
Complete LimeSurvey version number (& build) 6.4.6
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

stevelegare

Activities

DenisChenu

DenisChenu

2024-02-13 16:24

developer   ~79476

An idea to correct this situation would be to have an additional option on roles: who can assign or delete this role. with:

  • superadmin/write OR
  • superadmin (only) OR
  • "Only user permission"

This settings can be only updated by superadmin/write permssion user. And only such user can update roles.
DenisChenu

DenisChenu

2024-02-13 16:25

developer   ~79477

Ping @tibor.pacalat : can you ask if such solution can be accepted in 5.X ?
Else : i need a new plugin … :(

Issue History

Date Modified Username Field Change
2024-02-13 16:21 DenisChenu New Issue
2024-02-13 16:24 DenisChenu Note Added: 79476
2024-02-13 16:24 DenisChenu Bug heat 0 => 2
2024-02-13 16:25 DenisChenu Note Added: 79477
2024-07-01 09:17 DenisChenu Summary No way to assign minimal roles by «admin user» => Roles management : No way to assign minimal roles by «admin user»
2024-10-16 20:07 stevelegare Issue Monitored: stevelegare
2024-10-16 20:07 stevelegare Bug heat 2 => 10
2024-10-24 11:48 sampnot12 Bug heat 10 => 16