Closed (cannot reproduce)
Project:
Subuser
Version:
7.x-2.0-alpha2
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
27 Jul 2011 at 10:17 UTC
Updated:
30 Jul 2015 at 05:46 UTC
Jump to comment: Most recent
Comments
Comment #1
seanenroute commentedI can confirm that this is still an issue and opens up a severe hole in the security of the site. By typing in /user/1/subuser anyone can take over the super user role.
Comment #2
lauriiiI cant reproduce this. Maybe we need some tests for this?
Comment #3
lauriiiHappily this issue doesn't exist. Please remember in the future, if you find open security issue from a module you have to report it to a separated security issue queue, not to the public issue queue. Otherwise the fix is public and the sites are in a very unsecure phase because there might not be fix available immediately.
Comment #4
shabam commentedJust a note. The reason why sites have this issue is because they have "View subusers" permission on which allows the user with those permissions to view ALL subusers. There is a patch here https://www.drupal.org/node/2542196 that corrects the wording on the permissions to clarify this.