Ticket #433 (new Bug report)

Opened 11 years ago

Last modified 11 years ago

RFE: Allow disabling reusable content library

Reported by: bremy@… Owned by:
Priority: low Milestone: Not yet assigned to a Milestone
Component: Auth server, Authentication, permissions and access control Version:
Keywords: Reusable content management Cc:

Description

When a single user (not an admin) logs into tha "admin" page ( http://auth.zapquebec.org/admin/index.php) he is not supposed to see the frame "content management"

It's a critical security failure, because he can acces to the "reusable content library" and not only in "Read-only" but he can modify or delete items !

This feature has to be disabled.

Change History

Changed 11 years ago by benoitg

  • priority changed from high to low
  • component changed from Auth server, Content Management to Auth server, Authentication, permissions and access control
  • summary changed from Unsuitable Admin access to RFE: Allow disabling reusable content library

Actually, the bug it the other way around ;) Everyone is supposed to be able to add content to the library (hopefully artistic), and then ask to put it up on hotspots. It's what wifidog has been designed for!

Save for a few bugs that occasionally broke that feature, it has been in wifidog since almost the begining!

But right now, because permission system isn't fully implemented yet (specifically default system roles aren't implemented yet) so there is no "validated user" role that we can tie the SERVER_PERM_EDIT_CONTENT_LIBRARY to, So right now only users that have been assigned a role that includes SERVER_PERM_EDIT_CONTENT_LIBRARY see that menu option (and indeed, my zap québec user does NOT see it), but don't expect that to continue. Working on this specific permission as a proof of concept is how I noticed that I needed to add default roled before I continue, but I didn't realize that I broke something I consider a fundamental feature.

It's a critical security failure, because he can acces to the "reusable content library" and not only in "Read-only" but he can modify or delete items !

Only for items the user owns (or has been granted access to)

This feature has to be disabled.

In my opinion, this feature has to be restored!

There has been repeated request for people to help finish the permission system and add access control to the different areas of wifidog. That will make this (and a lot more) configurable according to every groups choices. I spent a few hundred hours creating the API, documenting it really well, and implementing most of it, as well as using in in several places already (as examples). Unfortunately, so far I dind't get any help.

Note: See TracTickets for help on using tickets.