DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43915>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43915 Summary: AC Auth controls admin area Product: Lenya Version: Trunk Platform: Other OS/Version: other Status: NEW Severity: blocker Priority: P2 Component: Access Control AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] One of my testers has found an easy way to escalate rights in Lenya. If someone has admin rights to a subtree, they can use these rights to gain full access to the admin tab. This is not desirable as one would grant admin on a subtree so that the sub-admin can administer rights on that subtree. To replicate: Login as lenya Grant editor group admin to editors under AC Auth from index Logout Login as alice Goto admin tab Create users Go back to site Change to sibling of index/home Go back to admin, you will now be blocked (so long as you didn't add alice to admin group, which you easily could have). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
