emma created GUACAMOLE-507:
------------------------------
Summary: Allow "change own password" for user account allow to
modify / delete existing connections
Key: GUACAMOLE-507
URL: https://issues.apache.org/jira/browse/GUACAMOLE-507
Project: Guacamole
Issue Type: Bug
Components: guacamole
Affects Versions: 1.0.0
Environment: Ubuntu server 16.04.3, guacamole git version client and
server
Reporter: emma
Attachments: Test_changeOwnPassword_usertab_v1.0.0.png,
Test_changeOwnPassword_v1.0.0.png
Testing last guacamole-client AND guacamole-server git version with TOTP
extensions ON and mysql database :
Allow "change own password" for user account allow to modify / delete existing
connections
I create a standard user "test" by cloning the default admin account
"guacadmin". Then i just check box "change own password" nothing more, all
other boxes are blank !
Then i connect through Guacamole with that new user "test" and try to change my
password then i realized i was able to see Users and Connections tabs and
access them !
While on Users tab, i cannot modified my own user profile (access denied) on
connections tab i can modified OR delete existings connections ?!
Then i retry with a new user created WITHOUT a clone of "guacadmin" default
account, and this time it's seems to work as expected !
Worth to check that and confirm there's a security issue relating to cloning
account vs creating new account ?
Thank you !
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
