[
http://jira.magnolia-cms.com/browse/MAGNOLIA-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27120#action_27120
]
Philipp Bärfuss commented on MAGNOLIA-3006:
-------------------------------------------
The ACLs were added because the user must be able to change its own password.
I would go for a) as this is the only save solution. But then we have to ensure
that the user can change his properties in the dialog (but not the group and
role assignments)
> privileges escalation by logged user
> ------------------------------------
>
> Key: MAGNOLIA-3006
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3006
> Project: Magnolia
> Issue Type: Bug
> Components: admininterface, security
> Affects Versions: 4.2.3
> Reporter: Jan Haderka
> Assignee: Jan Haderka
> Priority: Blocker
>
> Under certain conditions it is possible for knowledgeable user to escalate
> his/her own privileges to more then originally assigned. The "user" in
> question must be valid user with access to admin central. The issue doesn't
> affect anonymous user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
