Project

General

Profile

Actions

Bug #9541

closed

Non-admin user with admin rights is given the wrong URL for the user manager

Added by Steve Wheeler about 2 years ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
05/21/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

In 2.4.4p3 a user with admin rights that is not the admin user is given when opening the user manager:
https://x.x.x.x/system_usermanager_passwordmg.php

The admin user is given the correct url:
https://x.x.x.x/system_usermanager.php

This does not happen in 2.4.4p2


Files

pfSense User Manager Bug.png (76.1 KB) pfSense User Manager Bug.png Michael Alden, 02/22/2021 02:11 PM
Actions #1

Updated by Andy Kniveton about 2 years ago

Also get https://x.x.x.x/system_usermanager_passwordmg.php when you use FreeRadius for the user auth.

Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle

Looks like it's due to an instance of an incorrect usage of a wildcard when attempting to patch the page. The new stricter matching code doesn't allow that, and it is not necessary in this case.

Actions #3

Updated by Jim Pingle about 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Anonymous about 2 years ago

  • Status changed from Feedback to Resolved

On 20190725-0909, unable to reproduce the bad behavior.

Actions #5

Updated by Jim Pingle almost 2 years ago

  • Category changed from Web Interface to User Manager / Privileges
Actions #6

Updated by Jim Pingle over 1 year ago

  • Target version changed from 2.5.0 to 2.4.5
Actions #7

Updated by Jim Pingle over 1 year ago

  • Status changed from Resolved to Feedback

Needs checked and/or tested again on 2.4.5 snapshots

Actions #8

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

Works as expected on 2.4.5.a.20191218.2354

Actions #9

Updated by Michael Alden 5 months ago

Testing this on 2.5.0-RELEASE, it looks like the bug is either still present or there's been a regression—screen capture attached.

This patch still works as expected, https://github.com/pfsense/pfsense/commit/b9ed452dbba4689e6280efa7f503e30809a3d8e4

Actions #10

Updated by Jim Pingle 5 months ago

The code in 2.5.0 is the same as the post-patch code there. Perhaps you accidentally reverted that patch after being on the release?

https://github.com/pfsense/pfsense/blob/RELENG_2_5_0/src/usr/local/www/head.inc#L259

Actions

Also available in: Atom PDF