emma created GUACAMOLE-507: ------------------------------ Summary: Allow "change own password" for user account allow to modify / delete existing connections Key: GUACAMOLE-507 URL: https://issues.apache.org/jira/browse/GUACAMOLE-507 Project: Guacamole Issue Type: Bug Components: guacamole Affects Versions: 1.0.0 Environment: Ubuntu server 16.04.3, guacamole git version client and server Reporter: emma Attachments: Test_changeOwnPassword_usertab_v1.0.0.png, Test_changeOwnPassword_v1.0.0.png
Testing last guacamole-client AND guacamole-server git version with TOTP extensions ON and mysql database : Allow "change own password" for user account allow to modify / delete existing connections I create a standard user "test" by cloning the default admin account "guacadmin". Then i just check box "change own password" nothing more, all other boxes are blank ! Then i connect through Guacamole with that new user "test" and try to change my password then i realized i was able to see Users and Connections tabs and access them ! While on Users tab, i cannot modified my own user profile (access denied) on connections tab i can modified OR delete existings connections ?! Then i retry with a new user created WITHOUT a clone of "guacadmin" default account, and this time it's seems to work as expected ! Worth to check that and confirm there's a security issue relating to cloning account vs creating new account ? Thank you ! -- This message was sent by Atlassian JIRA (v7.6.3#76005)