Project

General

Profile

Bug #9541

Non-admin user with admin rights is given the wrong URL for the user manager

Added by Steve Wheeler 5 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
05/21/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All

Description

In 2.4.4p3 a user with admin rights that is not the admin user is given when opening the user manager:
https://x.x.x.x/system_usermanager_passwordmg.php

The admin user is given the correct url:
https://x.x.x.x/system_usermanager.php

This does not happen in 2.4.4p2

Associated revisions

Revision cf529cbe (diff)
Added by Jim Pingle 5 months ago

Remove wildcards incorrectly used in isAllowedPage(). Fixes #9541

Revision b9ed452d (diff)
Added by Jim Pingle 5 months ago

Remove wildcards incorrectly used in isAllowedPage(). Fixes #9541

(cherry picked from commit cf529cbe33ae53f3f95b37a227da141b97465f20)

History

#1 Updated by Andy Kniveton 5 months ago

Also get https://x.x.x.x/system_usermanager_passwordmg.php when you use FreeRadius for the user auth.

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle

Looks like it's due to an instance of an incorrect usage of a wildcard when attempting to patch the page. The new stricter matching code doesn't allow that, and it is not necessary in this case.

#3 Updated by Jim Pingle 5 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#4 Updated by James Dekker 3 months ago

  • Status changed from Feedback to Resolved

On 20190725-0909, unable to reproduce the bad behavior.

#5 Updated by Jim Pingle about 2 months ago

  • Category changed from Web Interface to User Manager / Privileges

Also available in: Atom PDF