Bug #9051
closed
Privileges on 'all' group are not being honored
100%
Description
All users are a member of the "All Users" group (actual group name internally: all).
Privileges can be added to this group, but they are not being honored. For example, with the "WebCfg - System: User Password Manager" privilege on the All Users group, a user with no other privileges cannot reach the page.
Files
Updated by Jim Pingle about 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset fe1afbb7549907e0d1cdfbf85d5f36d075a6a916.
Updated by Ronald Schellberg about 6 years ago
Jim Pingle wrote:
All users are a member of the "All Users" group (actual group name internally:
all).Privileges can be added to this group, but they are not being honored. For example, with the "WebCfg - System: User Password Manager" privilege on the All Users group, a user with no other privileges cannot reach the page.
This change set has created another issue for me. I had created a second admin logon in the user manager GUI and disabled the default "admin" user for increased security.
When I attempted to log on with second admin user, I get the "no page assigned to this user! Click here to logout." error response. Since the default admin user had been disabled, recovery required I had to resort to the "Option 3 - reset webConfigurator password" console option to gain GUI access again.
For some reason the GUI does not recognize my second admin user to be part of the admins group. The group page shows a member count of 2 in the admins group and my second admin user is listed in the members list.
When I review the "all" group, it has no assigned privileges, triggering the "no page assigned" response I assume. I could add privileges to "all" group, but that would defeat the purpose of the admins group.
For now I have reverted to using the default "admin" user name
Updated by Jim Pingle about 6 years ago
- Status changed from Feedback to In Progress
That should not have been caused by this but I'll test it some more.
This should have only added privileges to the list a user has, not removed any access.
Do you mind sharing your user/group sections of config.xml so I can replicate it here? (remove the passwords and any other identifying info)
Updated by Ronald Schellberg about 6 years ago
Should be easy to replicate, I just added a new user to admins group.
In the attached config I had added "page-dashboard-all" privilege to the "all" group to avoid the "no page assigned" error.
Updated by Michael Kellogg about 6 years ago
I just upgraded and got no page assigned
Updated by Michael Kellogg about 6 years ago
removed the 'all' from both files and got access again, also admin is disabled using different user as admin
Updated by Jim Pingle about 6 years ago
- Status changed from In Progress to Feedback
Applied in changeset 4de15854384e28004b0dc571dc8a40fda7eae694.
Updated by Paighton Bisconer about 6 years ago
- Status changed from Feedback to Resolved
Tested on 2.4.5.a.20181116.1325
New user with no privileges receives "No page assigned to user"
After adding "WebCfg - All Pages" to the All group and logging in again with the same user, pages are accessible.
Marking resolved.