Project

General

Profile

Bug #9051

Privileges on 'all' group are not being honored

Added by Jim Pingle 9 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Authentication
Target version:
Start date:
10/19/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

All users are a member of the "All Users" group (actual group name internally: all).

Privileges can be added to this group, but they are not being honored. For example, with the "WebCfg - System: User Password Manager" privilege on the All Users group, a user with no other privileges cannot reach the page.

config-Gateway.System-20181020085724.xml (3.27 KB) config-Gateway.System-20181020085724.xml System section of config.xml Ronald Schellberg, 10/20/2018 10:11 AM

Associated revisions

Revision fe1afbb7 (diff)
Added by Jim Pingle 9 months ago

Consider the "all" group when determining privileges. Fixes #9051

Revision 65c71eb3 (diff)
Added by Jim Pingle 9 months ago

Consider the "all" group when determining privileges. Fixes #9051

(cherry picked from commit fe1afbb7549907e0d1cdfbf85d5f36d075a6a916)

Revision 4de15854 (diff)
Added by Jim Pingle 9 months ago

Fix processing of the 'all' group. Fixes #9051

All the 'all' group to the list of groups at the end, rather than the
start. This way it will be considered no matter how users login. This
also fixes issues some users had with the original changes.

Revision 20895301 (diff)
Added by Jim Pingle 9 months ago

Fix processing of the 'all' group. Fixes #9051

All the 'all' group to the list of groups at the end, rather than the
start. This way it will be considered no matter how users login. This
also fixes issues some users had with the original changes.

(cherry picked from commit 4de15854384e28004b0dc571dc8a40fda7eae694)

History

#1 Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Ronald Schellberg 9 months ago

Jim Pingle wrote:

All users are a member of the "All Users" group (actual group name internally: all).

Privileges can be added to this group, but they are not being honored. For example, with the "WebCfg - System: User Password Manager" privilege on the All Users group, a user with no other privileges cannot reach the page.

This change set has created another issue for me. I had created a second admin logon in the user manager GUI and disabled the default "admin" user for increased security.

When I attempted to log on with second admin user, I get the "no page assigned to this user! Click here to logout." error response. Since the default admin user had been disabled, recovery required I had to resort to the "Option 3 - reset webConfigurator password" console option to gain GUI access again.

For some reason the GUI does not recognize my second admin user to be part of the admins group. The group page shows a member count of 2 in the admins group and my second admin user is listed in the members list.

When I review the "all" group, it has no assigned privileges, triggering the "no page assigned" response I assume. I could add privileges to "all" group, but that would defeat the purpose of the admins group.

For now I have reverted to using the default "admin" user name

#3 Updated by Jim Pingle 9 months ago

  • Status changed from Feedback to In Progress

That should not have been caused by this but I'll test it some more.

This should have only added privileges to the list a user has, not removed any access.

Do you mind sharing your user/group sections of config.xml so I can replicate it here? (remove the passwords and any other identifying info)

#4 Updated by Ronald Schellberg 9 months ago

Should be easy to replicate, I just added a new user to admins group.

In the attached config I had added "page-dashboard-all" privilege to the "all" group to avoid the "no page assigned" error.

#5 Updated by Michael Kellogg 9 months ago

I just upgraded and got no page assigned

#6 Updated by Michael Kellogg 9 months ago

removed the 'all' from both files and got access again, also admin is disabled using different user as admin

#7 Updated by Jim Pingle 9 months ago

  • Status changed from In Progress to Feedback

#8 Updated by Paighton Bisconer 8 months ago

  • Status changed from Feedback to Resolved

Tested on 2.4.5.a.20181116.1325

New user with no privileges receives "No page assigned to user"

After adding "WebCfg - All Pages" to the All group and logging in again with the same user, pages are accessible.

Marking resolved.

Also available in: Atom PDF