security hole?
jbc - January 30, 2008 - 19:58
| Project: | userplus |
| Version: | 5.x-1.1 |
| Component: | User interface |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | duplicate |
Jump to:
Description
The userplus is great at adding multiple users.
However, this is a privelege which is generally going to be granted to a role with less privilege that SITE ADMIN type roles, i.e. teachers, instructors (etc. as in DrupalEd for e.g.)
However, any role who has access to the userplus interface (not just settings) seems to be able to add new people into SITE ADMIN type roles.
Am I missing something? Or is this a security hole?
#1
Please post repeatable steps if you find a problem. Only users with 'administer users' privileges should have access to the userplus interface. That's the same privilege that is checked by the user module.
Please close this out if it's not an issue.
Thanks,
Marc
#2
1. User 1 = Site Admin; has "administer users" privilege so can access user plus and can create users of any role.
2. User 2 = Course Instructor: I want this user to be able to access user plus in order to add multiple users. However, I do not want this user to be able to create users with Site Admin privilege.
I accept this is not a security 'bug'. It's not a programming failure. You could say it's a feature request. But I was also trying to point out that for the typical implementation, someone who sets up a secondary, non-Site Admin to be able to access User Plus, may not realise that they are opening a security hole, which allows a non-Site Admin to set up new users as Site Admin.
#3
This is already documented: http://drupal.org/node/151311
Marking this as duplicate.