Problem/Motivation
Currently module allows to masquerade to other users that have ANY of allowed roles (set in role permissions)
But the weight of role is not respected, so allows to masquerade as user with roles that has higher weight of roles
That allows to masquerade as Administrator role if that user has ANY other allowed roles
Proposed resolution
Hardening the check for roles by taking into account role weight.
That means:
if user(which we going to masquerade) has roles that current user has no access no access should be granted
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#26 | negate_role_permissions-2688499-26-interdiff.txt | 7.07 KB | Berdir |
#26 | negate_role_permissions-2688499-26.patch | 8.61 KB | Berdir |
|
Comments
Comment #2
andypostComment #3
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedProviding a patch that allows masquerading access if a user has access to all the target account roles.
Comment #6
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedUnrelated test fails are getting fixed in #2448707: Fix masquerade tests
Comment #7
BerdirIt might be easier to do a return FALSE in case one permission is missing?
Also, I'm wondering what "masquerade as authenticated" then exactly means in this context.
Probably allow to masquerade as user that does not have any other permission. But do we require that permission explicitly if a user has roles, do you always need authenticated and the other? seems a bit weird? Maybe we could special case that, if a user only has that role, we specifically check for that permission, else the loop with return false if !hasPermission()?
Comment #8
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedI thought the same until I saw the doc block:
Yeah, it allows masquerading as normal users, users who have no roles (authenticated role by default).
Comment #9
Berdirwell, then we can simply return NULL instead of FALSE, although I find that a bit strange :)
also, if it's apparently using the true/false/null pattern then it should be using AccessResult but that's a too big change for this issue obviously.
Comment #10
mbovan CreditAttribution: mbovan at MD Systems GmbH commented^ Addressing above. Doing an early NULL return in case of a missing permission.
Comment #11
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedHiding duplicated uploads.
Comment #12
BerdirOk, that doesn't include a special case for authenticed permission yet, but lets see what @andypost thinks if and how we need that.
I think in almost all cases, you will need to select "masquerade as authenticated" permission anyway because you want to authenticate as users without additional roles as well. Means you can't configure to masquerade only users with a specific role and *not* those that are just authenticated. There might be some use cases around that..
Comment #13
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedUsers with a specific role are technically specific role + authenticated role users (at least by the default implementation of
Drupal\user\Entity\User::getRoles()
), which is a bit misleading in UI as "authenticated" role is not displayed...Comment #14
niko- CreditAttribution: niko- as a volunteer commentedComment #15
andypostI totally agree that it needs better protection!
IMO it needs more work to fix "any" case
this check is lost
I think better to compare max role weight of users for protection
looks too strict
Comment #16
Berdir1. kind of, but it's a bit different than before. the question is wheter we want to allow masquerade to *only* a specific role but not authenticed users without a role. I guess so. that's also what the 7.x patch does I think. lets extend that tests that a user has masquerade as some permission but not authenticated can authenticate as a user with that permission but not as one that does not have any permissions other than authenticated.
2. & 3. Nope, as we discussed, role weight is pretty much meaningless, it's not possible to rely on it. that's how it has to work to be secure. However, we possibly need to check documentation and explain that a user must have permission for all the roles that another user has.
Comment #17
andypost#2&3 just needs
hook_help()
additions to explain expected behaviorComment #18
johnchqueRebasing against latest dev version.
Comment #19
andypostProbably it needs rebase/reroll
This issue is a main blocker to stable release
Comment #20
mpp CreditAttribution: mpp commentedI'd suggest to change:
to:
Comment #21
frobI think the suggestion makes it more accurate. I just de-gendered the sentence and removed developery "@role" to try and make it a bit more site-builder accessible.
Comment #22
sasanikolic CreditAttribution: sasanikolic at MD Systems GmbH commentedUpdated the help text with the latest suggestion above from @frob. I slightly adapted it however, since "A user" is he/she and afterwards you used "they". Here is the patch with the updated help text.
Comment #23
Senthil Kumar Kumaran CreditAttribution: Senthil Kumar Kumaran as a volunteer commentedThis is a very critical issue. Thank you for maintainers & supporters addressing this.
Any update on when this will be rolled out with module update?
Best,
Senthil Kumar Kumaran
Comment #24
andypostI think it's only blocker for next beta, queued for tests
Comment #25
andypostJob shows for 8 new coding standard issues https://www.drupal.org/pift-ci-job/1534337
Comment #26
BerdirWe do have to make it a bit inconsistent with existing code to avoid these, defined the properties separtely and made them camelCase.
Comment #27
andypostThanks, gonna commit and create new release
Comment #29
andypostThanks everyone for contribution!
this could be backported to 7.x
Comment #30
sasanikolic CreditAttribution: sasanikolic at MD Systems GmbH commentedUh oh, we missed a typo here. :)
Comment #32
andypost@sasanikolic thank you! fixed)
Comment #33
wturrell CreditAttribution: wturrell as a volunteer commentedI think it'd make sense to add a note/change record about this to the Release Notes page for beta3 - I had a client contact me after masquerade stopped working (although in Permissions I'd selected the roles they needed to masquerade as, such as one called 'Applicant' which most accounts on the site have, I hadn't ticked "Masquerade as Authenticated User"). And I hadn't picked it up myself as I'd only been testing as user 1.
I suspect quite a few people could have ticked custom roles but NOT "as Authenticated User".
Comment #34
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedwturrell in #33:
Yes, we had the exact same problem on two sites: masquerade stopped working because we had not checked "Masquerade as Authenticated User" (which worked with beta2).
And since this issue is 7.x-1.x-dev (#29 changed the version for backport) it is harder to find if looking for 8.x issues.
So we agree with the idea of adding an explicit note to the 8.x-2.0-beta3 release notes (something more than just linking "#2688499 by mbovan, Berdir, sasanikolic, yongt9412: Negate role permissions").
Comment #35
andypost@wturrell @gngn any suggestion to write in change record?
Comment #36
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedI found out that a masquerading user now really needs all the "Masquerade as ROLE" permissions for all the target account's roles.
With beta2 it was enough to have just one matching permission (besides "as Authenticated User").
This is also mentioned in the change of the help text.
So maybe something like:
If you are using "Masquerade as ROLE" permissions check if you have permissions for all the "Masquerade as ROLE" permissions for all the target account's roles (in beta2 it was enough to have just one matching permission (besides "as Authenticated User").
Comment #37
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedMaybe better:
If you are using "Masquerade as ROLE" permissions check if you have permissions for all the "Masquerade as ROLE" permissions for all the target account's roles including "as Authenticated User".
In beta2 it was enough to have just one matching permission (besides "as Authenticated User").